The Challenge of Creating Web-Based Identity Standards

John Fontana is the identity evangelist for Ping Identity and editor of the PingTalk Blog. Prior to joining Ping, he spent 11 years as a senior editor at Network World.

Google, Facebook, Yahoo and others all want to be your identity platform on the web. But while it’s certainly convenient to have one credential for multiple websites, many would argue these services are only secure enough to access your grandmother’s online recipe book.

Growing numbers of technologists, IT executives, organizations and governments believe an identity authentication model must establish set standards.

But can any set of standards answer the tough security challenges, and to what degree? Is it safe to check your social security account on a credential issued by Google? To access health records using your Facebook ID?

Not today. And tomorrow is not likely either.

SEE ALSO: Who Owns Your Identity on the Social Web?

However, OpenID Connect and OAuth 2.0 (open authentication) are pointing to some of the best and most promising standards of today. OAuth is the foundation for OpenID Connect (the basis for consumer ID) and for User Managed Access (UMA), a model that lets users control their personal data. Companies such as Bechtel, Chevron, Cisco, GE, M&T Bank,, and others are already enjoying early success. OpenID Connect and OAuth 2.0 offer a place where consumer and corporate IDs can co-mingle in a secure cloud, protected by acceptable levels of security.

While it’s too early to tell if OpenID and OAuth will succeed, so far, they appear able to validate a user’s identity — perhaps even identities created by search engines and social sites.

“Street Identity” and Identity Attribute Data

Furthermore, big names are supporting the standards push. Google, Verizon, data exchange service ID/Webdata, and trust framework provider Open Identity Exchange (OIX) proposed a service called Street Identity at a conference last week. Street Identity is designed to strengthen authentication on the web. Loosely-coupled “providers” contribute user data called attributes, such as street address, age and/or mobile phone number that can be used to more accurately validate a user’s identity.

“Google’s [efforts] recognize what is happening now, which is identities are being deconstructed into attributes,” says Don Thibeau, chairman of OIX.

Ironically, Google and other companies with massive user data repositories don’t have enough validated pieces of user information to strengthen authentication. Google would need to partner with an attribute provider that would incorporate that information into the authentication process — with user consent, of course. The service would include a revenue model for businesses and organizations that agree to participate.

Google’s idea doesn’t replace the current identity standards effort. Rather, Street Identity is building on OpenID Connect and OAuth. It incorporates UMA for user control and features the first implementation of OpenID Connect’s spec for attribute aggregation and distribution, which was largely championed by Microsoft and its internal identity guru, Mike Jones.

Google and its partners believe that by aggregating a user’s data from various trusted sources, Street Identity can solve three problems: First, the service would connect to real-world identities, which OpenID does not do. It would provide a financial incentive for mobile operators that collect fees for providing data. Finally, it allows the government to steer clear of the electronic ID business by accessing needed data via attribute providers.

The prospect sounds promising, but so did pure PKI before its implementers began telling war stories. It seems, however, that Google continues to work toward a user authentication standard. The caveat is that standardization still has a lot more work ahead.

Image courtesy of Flickr, Darwin Bell

More About: consumer protection, contributor, features, Google, identity management, openID, privacy

For more Dev & Design coverage:

This entry was posted in consumer protection, contributor, features, google, identity management, openID, privacy and tagged , , , , , , , , , . Bookmark the permalink.