Will Strong Authentication ever Reach a Mass Scale? (Part 2 of 2)

Tweet

 

Back to the initial point of this article...

Antiquated, paper-based processes should be decomposed and replaced by a modern, electronic solutions. Authenticating a digital identity will be an essential building block in the development of such a solution. Just like the electric battery will be a building block in the rise of the electric car (ala Shai Agassi). And here is where I commend the vision and entrepreneurship of Brent and Sal. They have both come up with multi-factor authentication solutions that meet Kantara Initiative's Identity Assurance Framework Assurance Levels 3 (AL3) and 4 (AL4) credential management requirements from a technical standpoint. In addition, and more importantly, they employ novel business models that make them feasible, thinking in Internet scale (and not in expensive, non-scalable models such as HSPD 12).

It is only with this kind of perspective that the next generation of strong authentication solutions will become a reality. The focus needs to be well beyond technology: how can organizations benefit from economies of scale, mass adoption and leverage ubiquitous 21^st century infrastructure such as cell phones and telephony in general?

Resolving this issue will be far more important to identity-enabling high-value services, than whether the credentials and claimes are exchanged via SAML, OpenID, CardSpace, good old X.509, or one-time passwords (OTP) via SMS. At this point in time, this is the easiest piece of the puzzle.

Disclaimer for the Identirati: I really don't mean to trivialize federated identity technology, or offend those producing great work and advances in this area;  it is just that these technological challenges are dwarfed by those in the business area. Hopefully I won't be stoned to death for making this statement.

It is all about the business model

We are on the brink of a tipping point. But for a significant change to take place, we need to stop thinking about the obvious business model that has been attempted for years on how to provide strong authentication in large scale: the end user [or its sponsoring organization] pays.

Let me illustrate: In order to mitigate risks in accessing sensitive information, many organizations sponsor their user base (employees, contractors, vendors, suppliers, consumers, etc.) strong authentication credentials, along with the identity proofing and issuance process that each user needs to go through to get the credential. For instance, employers issue OTP devices to their employee for remote access into their Intranet, banks issue OTP devices, USB tokens or smart cards to their customers for sensitive transactions, pharmaceutical companies issue high-assurance X.509 certificates to their R&D staff for electronic submissions to the FDA and US Patent Office, and similarly aerospace and defense companies issue high-assurance certificates to their workforce to encrypt and authenticate when accessing DoD-sensitive data.

In most if not all cases, the organization foots the entire bill, and limits the use of the credential to the purposes intended and nothing more (even in the cases of federated use, such as SAFE-BioPharma or CertiPath). While this contains their risk and liability exposure, it also increases the cost involved in the digitalization of the process, and severely constrains the possibility of mass adoption. Also, for the fashion and public health conscious, creates the dreaded "token necklace" syndrome. Burton Group's Mark Diodati published an article on this topic in October 2009, which I found interesting.

A look into the future

OK, so let's fast track to the 21^st century - all right, not exactly... maybe beyond the first or second decade. After several false starts by several developed countries' governments, entrepreneurs finally figured out business models that made strong authentication economically viable at Internet scale.

The world has understood that charging organizations or even end users for a digital credential simply does not work. Instead, successful identity-enabled services leverage ubiquitous infrastructure such as cell phones, and do not charge on a per credential basis, but instead for the use of the service. Operators exist who are willing to give out strong-authentication devices for free or for a nominal service fee. These devices can carry more than one digital identity credential in a FIPS 140-2 certified compartment. The same form-factor and even the same credential can be leveraged across multiple services. Service providers collectively subsidize the cost of the credential and form-factor, similar to the 20^th century credit card and ATM networks (oh my God, did I say this out loud?). For many services providers, the cost of providing strong authentication at AL3 and AL4 is much less than the cost of fraud they would face with lower levels of assurance.

The average citizen carries a strong-authentication physical device that contains their most sensitive digital credentials; the ones that they use to perform the most sensitive transactions (AL4) such as

• Perform high-value financial operations
• Pay taxes
• Gain access to healthcare services
• Play in their online casino
• Be able to buy liquor by proving that they are over 21-years old
• Digitally sign their now-electronic mortgage application (wouldn't this be nice?).

They rely on their PDA or cell phone, and in some cases on other voice-based channels such as an old-fashion land line), to securely authenticate and gain access to other services, which may not be as sensitive (AL3) such as buying personal items online, bidding on eBay for some memorabilia, checking in for a flight, confirming a stock purchase transaction, and accessing consumer online banking sites. All without having to pay for the issuance of the credential, or for the authentication event.

I envision a near future, in which society will enjoy some basic benefits at no direct cost: access to breathing air, access to the Internet, and access to strong and legally enforceable authentication in a digital context which will enable secure access to day-to-day electronic and online services. High value identity-enabled services will be so popular, trustworthy and successful, that the regular user would not even remember that at some point in time, strong authentication was doubted to ever reach mass scale.

Wow, that sounded a lot like Isaac Asimov. I strongly encourage you to read and provide feedback to Department of Homeland Security's [Draft] National Strategy for Trusted Identities in Cyberspace,

Your comments are most welcome.