Title: Digital Identity: Who Wants to Know and Why What the Business of Identity Means to Privacy
1Digital IdentityWho Wants to Know and
Why?What the Business of Identity Means to
Privacy
Carol Coye BensonManaging PartnerGlenbrook
PartnersTrusted Advisors in Financial Services
2Why Digital Identity Should Matter to You
- Digital identity is the attachment point for
privacy rights in remote domains
- New developments in digital identity may result
in increased consumer privacy exposures - But - new capabilities in digital identity may
provide powerful tools to control consumer data
and mitigate privacy risks
3Whats Pushing Change in Digital Identity
- Economic Factors
- Broad scale use of the Web as an information and
task utility much of which needs to be
identity enabled - Identity theft losses
- Political Factors
- National security
- Consumer outrage at identity theft
- Technical Factors
- Shared authentication capabilities
4Money Creates the Problem.
- A problem abuse of consumer data
- Driven by marketers wanting to make money
- Managed with considerable success - by
regulatory constraints put on enterprises,
limiting their ability to use data - A worse problem identity theft
- Driven by thieves wanting to steal money
- No one has yet found an adequate solution
And money is also driving investment in digital
identity technologies that may help solve these
problems
5(No Transcript)
6The United States Today An Economic Structure
That Enables Identity Theft
Good Guy
Existing and Past Creditors
Credit Reporting Bureaus
Bank
CreditCard Co
Store
MortgageCompany
ProspectiveCreditor
AutoLoan
FinanceCompany
Store
Bad Guy
Store
Broker
Credit Card Co
7Digital Identity What is It?
- A data record associated with an individual which
is used to give access to rights, information, or
systems. The manifestation of digital identity
is an identity credential - Every identity credential is characterized by
- A credential technology
- A credential issuer
- A registration process
- A credential holder
- A relying party or service provider
- A presentation and validation process
- A management process
8Digital Identity How it Works
Authentication
Registration
Registration is the process of verifying identity
and any profile data collected, and issuing a
credential
Authentication occurs when a credential holder
presents their credential to a relying party The
relying party usually takes steps to validate the
credential The relying party then makes access
to services or systems available to the
credential holder
9Digital Credentials Arent That Different
The Physical World
The Digital World
Issued by theparty thatuses (relies on)them
ID/Passwords
Employer ID Bank ATM Card
PKI Certificate
Credit Card
Issued by third parties
Both physical and digital identity credentials
provide direct authentication
10Inferred Authentication
- Inferred authentication is used in the absence of
a valid direct credential - Inferred authentication is a form of sleuthing to
try to figure out if an identity claim I am
Sally is valid.
- Inferred authentication includes checking an
individuals claim (name, address etc.) against
one or more databases, analyzing data and may
include challenge/response inquiries what
kind of car do you drive? - Similar to credit risk management processes used
by credit granting institutions - Use of inferred authentication is growing rapidly
- There is a large and growing field of
sophisticated solution providers
11Where Inferred Authentication is Used
The Physical World
The Digital World
As the registration process prior to issuing a
digital credential
Issued by theparty thatuses (relies on)them
ID/Passwords
Employer ID Bank ATM Card
PKI Certificate
Credit Card
?
Issued by third parties
As an alternative to direct authentication in
digital or remote - environments
12Inferred Authentication Works, But.
Analysis Scoring Logic
CustomerProprietary
- Inferred authentication techniques are unwitting
enablers of identity theft - One could argue that some inferred authentication
techniques are themselves violations of consumer
privacy
Source Data
Decision Logic
Public
Data
VendorProprietary
Consortia/Shared
13Whats New Shared Authentication
- Shared authentication will let direct credentials
be more widely used in remote settings thereby
avoiding the need for inferred authentication.
- Shared authentication is a set of new
technologies, standards, and business practices
that allow a credential issuer to assert the
identity and associated profile data of an
existing credential holder to a third party
Authentication
Registration
Assertion
14Shared Authentication
Credential Issuerand First Relying Party
Second Relying Party
? Normal Log-in
? Identity and Profile Data Assertion
? Consent process (at setup) do you want to be
automatically logged onto this Relying Party from
our site?
? Log-in through shared authentication
Credential Holder
15Activity in Shared Authentication
- Standards Quasi-Standards
- The Liberty Alliance
- OASIS/SAML
- WS/Security
- Shibboleth
- Products Services
- Verified by Visa
- Microsoft Passport
16Business Roles in Shared Authentication
- As credential issuers conducting the original
registration process for a credential - As relying parties using credentials to grant
access to services
- As vendors
- Providers of enterprise software in identity
management - Service providers of credential assertions to
downstream relying parties - Providers of identity enabled applications
particularly data stores - Providers of identity infrastructure and network
services
17How Will Credentials be Valued?
18Issues in Implementing Shared Authentication
- What price identity? how much will be paid
for third party credentials - The buck stops where? - who is liable and
for what - You did what? - managing data privacy in an
identity enabled marketplace
19What it Means to Privacy
- The ability to link consumer digital identities
and their associated profile data increases the
risk of consumer exposure - New products are privacy aware and include
consumer consent but increasing complexity may
make it difficult for consumers to grasp what it
is they are consenting to - Increased utility of existing direct digital
credentials may make it possible to reduce the
amount of inferred authentication being done
behind the scenes
20Glenbrook Partnerswww.glenbrook.comGlenbrook
Partners is a consulting and research firm that
helps clients leverage the electronic delivery of
financial services, with particular focus on
payments, identity management, and
authentication.
- Carol Coye Benson(1) 541 301 0139carol_at_glenbrook
.com