In an article dated April 1, 2011, Jessica Herrera-Flanigan, of nextgov, reports on the pitfalls of a "federated authentication" system, which were recently highlighted by Ross Anderson, a professor of Security Engineering at Cambridge University.
Professor Anderson recenlty published a paper entitled "Can we Fix the Security Economic of Federated Authentication?" in which he brings to light two concerns associated with federated authentication. Firstly, "not all authentications need the same level of assurance," and, to paraphrase the second, the liability associated with getting authentication wrong drives the level of investment made in order to get it right.
To illustrate the first point, Ms. Herrera-Flanigan points out that "The New York Times online [is not] that concerned (relatively speaking) about me circumventing the newspaper's authentication system [by posing as a friend with an account in order to] post snarky comments about New Jersey in his name." On the other hand, if Ms. Herrera-Flanigan had that same friend's bank account information, including his log-on identification and password, and used that information to transfer funds from his account, "then concerns about authentication are rightly elevated."
With regard to the second point raised by Professor Anderson, Ms. Ferrera-Flanigan poses the following question: ". . . in a federated identity framework, which identity provider makes [the necessary] investments?" It makes sense for banks to invest heaily in identity authentication because, as illustrated above, the costs of getting authentication wrong could be devestating. Does it follow then that Facebook should have to bear a portion of that expense when it doesn't require similar assurances of accuracy? If not, is the banking industry likely to share their assurance technology with other industries for free? The answer to both questions is, of course, no.
Thus, as the Obama Administration's National Strategy for Trusted Identities in Cyberspace (NS-TIC) notes:
"To date, the appropriate apportionment of liability has prevented the cross-sector issuance and acceptance of identity credentials. The federal government must address this barrier through liability reform in order to establish the multi-directional trust required by transaction participants. The identity ecosystem promotes models that mitigate liability to an acceptable level relative to the benefits associated with participation in the ecosystem."
According to Ms. Herrera-Flanigan, the NS-TIC has the right framework in mind. The issue moving forward is "how do we implement operational solutions?" Additionally, she poses this question, which gets at the heart of reform, "what threshold of liability will participants and users be able to bear before questioning any significant reform?"
Ms. Herrera-Flanigan's full article can be found at the link above, or here. Additionally, Professor Anderson's paper, "Can we Fix the Security Economic of Federated Authentication?" is available at the link provided above, or here.
Leave a Reply