Just after the tragic events of 9/11 happened, positively confirming a person’s identity became an obsession of ours for every sort of transaction under the sun. A myriad of authentication methods came out of the woodwork claiming they were going to make our passwords and cheap plastic cards go away. Pilot projects were launched where our grandmothers were trying to buy pie fixings with nothing but their wise old fingerprints. Credit cards with smart chips were provided for the savvy world travelers to buy their seven dollar fancy trail mix before boarding their flight.
Fast-forward 12 years and we are still logging in with those pesky passwords (some are still using the same password as back then), and we are still presenting a relatively simple and ‘dumb’ piece of plastic to board our plane (UV flashlights?…oh ok). Why? Primarily because the effort required to upgrade existing infrastructures is too high, and secondarily because real risk and transactional cost are now back into the equation. Fundamentally we are back to asking the question “What reduction in risk is appropriate for my transaction type and at what cost?”
Well, after trying to change the authentication world (multiple times), some of us decided to leave the proverbial battle ground and move on to an over-arching issue regarding trust in the transaction: authorization.
Credentials Good for Authentication
Very few transactions are plain vanilla, and therefore trying to embody and update multiple or complex authorizations (privileges) within a given credential gets expensive and difficult very quickly. Most transactions involve a whole set of policies (rules and relationships) with different circumstances as options. These policies might include multiple parties involved in the transaction, key dependencies that must be satisfied in advance, validation of multiple attributes, consideration of environmental conditions at the time of the transaction, etc.
Moreover, a given credential (and its authentication result) is only as good as the day it was created because the attributes registered behind it get stale without routinely verifying against authoritative sources (which is rarely done today). Therefore, credentials frequently lend themselves to helping confirm identity versus privileges, especially those registered for in person.
Decoupling Authentication and Authorization
Credential authentication is treated as just one decision point of many that may be involved in the overall transaction. So why not decouple the authorization and authentication to deliver a more robust yet flexible solution that can meet specific transactional risk and cost needs more appropriately, including leveraging (and sometimes combining) existing infrastructures and credentials?
Well, that is just what is shaping up to become the new reference for executing transactions of all sorts (including for logical and physical access). Credential authentication results, identity attribute verification results, and environmental conditions are all measured against the policy to determine whether a person is authorized to execute a given transaction (or to receive a corresponding privilege to be exercised later). You may have heard some of the terms already, like ‘identity ecosystem’ and ‘trust framework.’ You may also be aware of the National Strategy for Trusted Identities in Cyberspace (NSTIC) managed by National Institute of Standards and Technology (NIST).
Authorization: Cloud, Social, and Mobile
Consider that you need communications to properly authenticate a credential anyway (even to cache a list to verify against), as not many want to use an expired or revoked credential in their transaction. And communications has become relatively cheap (even in those countries where communications costs drove the adoption of smart cards previously). Therefore, leveraging a secure cloud service to execute business transactions/access control is a natural conclusion and many are moving in that direction.
According to NIST, “the Identity Ecosystem is a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value.” The trust framework represents a community of stakeholders that agree to abide by the identity ecosystem to resolve transactions and conduct business. Herein lies the secure, social aspect.
Winners will be the trust frameworks that leverage an identity ecosystem that delivers the lowest risk for the least cost, including accommodating existing infrastructures and ways of doing business, as well as multiple parties to the transaction (beyond peer-to-peer). This includes 1) offering the most affordable credential options, 2) the ability to routinely validate as many identity attributes as possible, and 3) a policy engine that takes into account the environmental conditions of the transaction and makes reliable decisions affordably and securely.
Finally, getting authentication results and authorization decisions to the right place and people anywhere is also a key to success. Think mobile: Stakeholders increasingly need the ability to serve their role in the transaction from anywhere, including interactions that occur on mobile devices. This may include the ability for the individual (or organization personnel) to launch and execute a transaction, and determine what results and corresponding detailed data can be revealed for the transaction.
In this new social age, is it too late to have any privacy? Or should we operate on the assumption that all our data is now public?