How many usernames and passwords do most people have to remember? Twenty? Thirty? More?
In 20 years time, you could have a chip inserted into you … that links to your DNA.
Paul Simmonds, founder and board member, Jericho Forum
The fact is most people have dozens of online accounts, each requiring its own username and password. That is too many to remember, which leads many to use insecure password management practices: They tend either to use the same password across multiple accounts, or write down their credentials.
To address this problem, the Jericho Forum, the think tank that coined the word “de-perimeterisation” six years ago, and sparked an industry-wide rethink of how we do security in the world of the Internet and mobile devices with its 10 commandments, has turned its attention to the thorny issue of identity and access management (IAM). The Forum has produced a new set of commandments (14 of them this time) that it hopes will help create a fundamental change in how security pros handle the subject.
The starting assumption of the new project is that the current model of usernames and passwords is broken -- merely a hangover from the mainframe era when users accessed just one system and things were a lot simpler -- and is not geared to modern needs of collaboration and operation in the cloud.
Instead, Jericho is proposing that the future of identity management employ a user-centric approach, where individuals have a core identifier that defines who they are, and to which only they have access.
The work builds on ideas already outlined in the US Government’s National Strategy for Trusted Identities in Cyberspace (NSTIC) (.pdf), which proposes what it calls an identity ecosystem, wherein individuals, organisations and the underlying infrastructure — such as routers and servers — can be authoritatively authenticated. A short video on the NSTIC website neatly illustrates the concept.
The Jericho project aims to take NSTIC a step further and provide guidance on how this identity ecosystem could be achieved in an effective way. “NSTIC doesn’t go into the details of how you do this stuff,” said Paul Simmonds, a founder and board member of the Jericho Forum. “We are trying to provide the high-level commandments, so if you are going to implement it, these are good principles to follow.”
Key to the new approach is the creation of a core identifier for every individual (as well as every device, piece of code or organisation) that wants to connect over the Internet. In the case of people, the core identifier would be a code cryptographically generated by algorithms based on certain aspects of the individual -- such as fingerprints, or face or voice patterns -- and could be stored in a variety of ways, such as a chip card with a fingerprint reader, or in a mobile phone with a forward facing camera that recognises the user’s face or voice. “In 20 years time, you could have a chip inserted into you, as we do today with Pet Passports, that links to your DNA,” Simmonds said.
These core identifiers could be issued by government -- as is happening in a national scheme in Austria(.pdf) -- or through trusted authoritative bodies. Simmonds suggested these could be companies such as Verizon or AT&T in the US, or the Post Office in the UK.
Having established the core identifier, users could then create a number of personas for different facets of their lives – such as one persona for accessing social networking sites, and another for accessing electronic health records. They key, in theory, is that each persona could operate without anyone being able to link them to the same person, allowing the individual to protect his or her privacy. “Each persona has an identifier that is linked cryptographically back to the core identifier. But you can’t go between the personas, and you can’t go back up from a persona to derive the core identity,” Simmonds said.
He admitted this separation of personas, designed to help individuals control who sees their information, would need to be supported by strong cryptography.
Simmonds insisted that companies could start planning for the new model today. “It initially requires a change of mindset, but much of this is feasible today using SAML (Security Assertion Markup Language), for instance to connect to cloud-based services."
In the longer term, Simmonds admitted, there will need to be an investment by government in providing the infrastructure to support the IDeA model. But, in a world where services will increasingly be delivered online, he said, the model can lower costs, provide more flexibility and deliver higher levels of security and trust. “Getting identity right will allow faster, more secure and more flexible collaborative business relationships,” he said.
The publication of the IDeA Jericho Forum Commandments (.pdf) will be followed soon by more detailed explanatory documents dealing with the various aspects of the model, Simmonds said.