The case for claims-based identity management

On a bright sunny day this past June in Niagara-on-the-lake, while tourists were arriving to take in the plays at the Shaw Festival, Dave Nikolejsin climbed onstage for what could end up being the most provocative performance of his career.

The CIO for the province of British Columbia was at Lac Carling Congress, an annual gathering of public sector technology professionals and public servants, to lead a session on how the government could do a better job of offering “trusted services” in an online world. The introduction from Nunavut CIO Peter Baril, however, made it sound as though his peer was about to be thrown to the dogs. A panel of fellow CIOs and deputy ministers were ready to “rip him apart,” once he presented his idea, Baril said, adding that Nikolejsin was “looking forward to it.”

When he finally stood up at the podium, however, Nikolejsin didn’t seem like a man spoiling for a fight. Tall, bespectacled and projecting an easygoing manner, he simply spent the next 30 minutes outlining an approach that would fundamentally change the way governments and even private businesses handle identity management. In other words, a way for banks, agencies and other organizations to verify who someone is when they need to access personal information in order to provide a service involving the Internet.

Right now, most Web sites require users to register for anything important they want to do online. This involves filling out a form with name, address and other contact information, as well as choosing a unique user name and password. As you use more and more online services, of course, you end up with a laundry list of passwords you can’t remember, and some frustrated Internet users are reaching “registration fatigue,” avoiding signing up altogether if possible.

The usual alternative is a “common credential service,” where, for example, the government could provide users with something to identify themselves without having to sign up. This would include the number mailed out to citizens every year to file their taxes using NetFile – a service Nikolejsin, for one, loves. “It’s a great service, but the problem is I can’t take that four-digit code and do anything else with it,” he says.

Instead, common credential services are typically tied to one or a few systems, so they’re not interoperable. Nikolejsin claims they’re also much slower to use on the back end and increase risk.

Claims-based ID

Nikolejsin’s vision is based on what’s called “claims-based” identity management, which would provide a similar interface for booking a hotel, buying a book or registering for a course online, but allow the user to choose the credential that verifies who they are.

Here’s how it works: An organization such as Canada Revenue Agency or is the “relying party” which controls access to a service, such as processing a tax return or selling a book. Relying parties require proof of identity online to provide that service. If it’s the CRA, a user’s name, SIN number and employer might be good enough. To buy a book, would need a shipping address but also the ability to ensure the online customer’s credit card is valid.

This kind of personal information is already stored by a number of organizations. The government of Canada would have users’ SIN numbers, for instance, and a bank like RBC would have access to their credit information. There might be other so-called “authoritative parties,” however. A provincial agency might also have a user’s SIN number on file, or the same book buyer might also be a BMO customer. Under the claims-based model, the user would tap into a sort of electronic wallet on their computer called an identity agent. This software would let the user choose which “informaton card” – electronic versions of their bank card, their health card, or even a university alumni card – they want the relying party to use to verify their claims about their identity. For Nikolejsin, nothing beats a driver’s license.

“They’re hard to get, so it’s very trusted,” he said. “If you’re from Ontario and you want to rent a movie where I’m from, even if they’ve never heard of you in B.C., they’ll accept (your driver’s licence).”

The appeal of claims-based identity management is that it’s user-centric, according to Nikolejsin, whose government is testing the waters with an architecture built on the concept. The Internet user calls the shots on which information cards a relying party uses. That way a user doesn’t have to keep filling out registration forms with information that, say, the CRA might require but that an online bookstore doesn’t. It means the retailer, hospital or other organization isn’t in the business of authenticating the credentials – the authoritative party such as the bank or school does that through the identity agent software.

“The differentiation between identification and authentication gets bogged down,” Nikolejsin says. “Authentication makes no difference if they don’t know who they’re dealing with.”

Pilots underway

A move to claims-based identity could effect not merely government CIOs, obviously, but senior IT executives in almost any industry, since many of them have set up complex and expensive systems to collect user data and passwords to manage transactions.

Kaliya Hamlin, an expert in user-centric identity who has been holding conferences and training about the claims-based approach in Mountain View, Calif., says more organizations are ready to get out of the authentication game.

“It makes sense for institutions like banks and governments and health care providers to know me – they have an investment in knowing who I am. It’s worth it,” says Hamlin, who also maintains a popular blog called Identity Woman. “But I’m also going to go and do transactions with other people for whom it isn’t worth it. Why wouldn’t they trust another entity’s assertion about me? It reduces their costs and it increases their assurance.”

Organizations around the world are beginning to think the same thing. The European Union has set up Stork, a pilot project which will allow businesses, citizens and government employees to use their national electronic identities in any member State. France is working on an experiment of its own, called Fédération de Cercles de Confiance, or FC2. The United States hasn’t moved to claims-based identity management, but last month the General Services Administration (GSA) held a held a public meeting where privacy experts talked about using information cards for government systems.

Mary Ruddy, a founding board member of the Information Card Foundation and co-leader of an open source identity management project who has been working with the GSA, says the U.S. is still in the exploratory stage, although the GSA has drafted a process whereby companies or organizations could apply to officially become one of those authoritative parties.

You need to know you can trust those identity providers,” she says, adding some lightweight pilot projects are being discussed. “Everyone’s used to having cards in their wallet – a visual representation of that on their devices could be used by an end user to handle other protocols.”

Major barriers>

Nikolejsin recognizes there will be many barriers to claims-based identity management. What happens if an online transaction is lost, or someone manages to issue claims that are wrong? If a user is stung by a virus or a phishing attack, who is responsible – the authoritative party that provides the verification credentials, the relying party that provides the service, or the software that users work with to manage their information cards? None of those policy issues have been properly ironed out.

The user-centric approach also requires putting a certain amount of faith in the personal integrity of those users. Rob Blakley, a Midvale, Utah-based researcher for the Burton Group who wrote an influential report last year called A Relationship Layer For The Web, said CIOs have to bear in mind that identity management is not about tracking character traits so much as it is one person’s relationship with various organizations. “If you look at a credit score, that’s a piece of information that to most people is personal and private. The individual to whom it refers is an interested party and doesn’t have an incentive to disclose information accurately if the score is low,” he says. A user’s credit history could be better with American Express than with Visa, for instance, so a good claims-based system would somehow have to ensure that the authoritative party would be something like Equifax, which would look at credit information more holistically.

The information cards would also have to be either stored and encrypted in the cloud — which could be uncomfortable for many people — or stored locally on a user’s laptop. Which means, of course, that someone who steals your laptop, if they knew how to access those cards, could do a lot of damage.

“Obviously, if you have all your eggs in one basket, you have to protect that basket,” says Felix Gaehtgens, who works with identity management consulting firm KCP in Brussels. “That’s no different than carrying around your wallet in the physical world today.” It might not be easy to move information cards from a laptop to a smartphone, however. This could annoy users with multiple devices, he says.

Gartner Inc. doesn’t forsee major adoption of claims-based identity for several years, according to research director Gregg Kreizman. That’s because of all the changes organizations would have to make to legacy IT systems and pubilc-facing Web sites, as well as the challenge of getting people to set themseleves up for information cards. Users would need a lot of education and incentives to do that, he says.

Apart from the costs and scope of setting up such a system among public and private sector organizations, there is fear the technology won’t work as advertised. There could also be fears about who provides that technology. Microsoft’s CardSpace is one of the early products to enter this space, and Nikolejsin referred to it repeatedly in his presentation.

“If you were to look inside B.C. right now, we’re not deploying CardSpace yet,” he says, adding that Microsoft is often considered because so many organizations use its Active Directory product to manage identity-related information. “We’re using the Microsoft toolset to do the claims-enablement. We have Geneva servers in front of our directory, and we’re also using CardSpace for all the piloting of the user-centricity piece. As we do all our pilots, though, there’s an open source equivalent to everything we do, and we make sure it works, side by side.”

Francis Shanahan, a software architect based in the U.S. who works in the financial industry, has mapped out how Microsoft’s CardSpace could be deployed in an enterprise environment. He agrees that it will be important for CardSpace and other technologies to be focused on interoperability. There are already a number of groups at work developing standards in this area, he said, to ensure that happens.

Hamlin says anti-Microsoft concerns shouldn’t lead organizations to abandon the claims-based identity card model. She pointed to Novell’s Higgens Project, and another open source initiative led by Calgary developer Pamela Dingle. The bigger obstacles are more psychological. “It requires user behaviour changes and a client-side download,” she says.

Shanahan says such cultural shifts don’t happen overnight. “It took a long time for users to get used to user names and passwords,” he says. Nikolejsin characterizes the government’s challenge as departmentalism – the tendency in the public sector to work in little fiefdoms – and corporate self-interest in the private sector. On the other hand, he says he was swarmed by people after his Lac Carling presentation with questions.

“There were two dimensions to the response. One was the program people – they get it. They understand that they can’t be responsible for this identity thing,” he says. “The other is the municipalities. They see themselves on both sides of the equation – they need big governments to stand up the architecture so they can draw down on those services.”

So far, however, there needs to be more action on the provincial or federal level, and that’s not happening. Nikolejsin suggests opinion is fractured. “Alberta is on the fence, and Ontario and the feds are headed in a different direction,” he says. “It’s not to say I’m right and they’re wrong. It’s just that we’ve made the decision that we need to be in the identity services game. They worry about the authentication.” (The federal government’s Treasury Board Secretariat did not respond to interview requests for this article.)

CIOs should take the time to test the claims-based approach now, Ruddy says, so as to be ready to make their business case.

“It’s the same best practices as with any project – find a Web site that’s relatively low-risk and put together a pilot for that,” she says. “Then you get some hands-on experience, you understand the issues a bit better, and there are plenty of folks that would be happy to help you with that.” Kreizman says the launch of Windows 7 will mean some of the claims-based technology will be built-in, so as organizations slowly upgrade a CardSpace rollout might be easier.

Carving out money for pilots from other parts of the budget might be the toughest initial step, Nikolejsin says, but one worth the effort. In the meantime, he’s prepared to keep beating the drum until more people are willing to listen.

“We’re all dreaming the same dream. It’s irrefutably correct that we all want to get services online,” he says. “Once we get (the identity part) figured out, the truly high-value services will come on board – and we’ll suddenly get a populace that’s ready and willing to use the services.”

As long as they’re ready and willing to manage their own identities, too.

Related Download
Virtualization: For Victory Over IT Complexity Sponsor: HPE
Virtualization: For Victory Over IT Complexity
Download this white paper to learn how to effectively deploy virtualization and create your own high-performance infrastructures
Register Now