Strong Authentication

Since fall 2005, the Liberty Alliance has focused on defining a standard industry framework that enables interoperability of multiple authentication mechanisms in Federated and/or Web services and/or stand-alone digital identity architectures/environments.

A lot of work is being done in this space quickly, so check here often for updates on this very important strategic initiative.

The group is completing a gap analysis of the current marketplace solutions, looking at similar goals and is currently completing its first market requirements documentation (MRD). As MRDs have been completed, the group has defined the real-life usage of strong authentication should addressed, broadly for all applicable environments requiring strong authentication.

The group has recognized that the need for standardization in the area of strong authentication was driven by current deficiencies in allowing the deployment of varied authentication to large audiences and the perceived need to allow for interoperability among providers and consumers of authentication services. Three focal points have been used to articulate the needs and the associated issues that a heterogeneous strong authentication environment presents and a subset of common concerns are listed.

• From an end user’s perspective
  
  • The deployment of not only different authentication mechanisms, but even variations of common authenticators lead to inconsistency of experience and end user confusion. (The “how do I authenticate here” syndrome.) This may lead to a reduction in the effectiveness of user confidence in combating issues such as “phishing."
  • End users may be faced with a variety of authentication mechanisms unique to each asset (such as a website) they want to access. This can lead to authentication “buildup” also known as the “token necklace” problem.
• From a deployer’s (service providers, identity providers) perspective
  
  • With independent authentication methods being deployed across the Internet, consumers may get confused or frustrated thus leading to increased friction introduced by use of strong authentication in the e-commerce channel.
  • Current implementations of authentication methods are complex and not easily upgraded or replaced.
  • Methods to broadly share and use distributed authentication mechanisms are inconsistent and not robust.
  • Promote the use of a services based approach for activities (e.g. authentication, validation) that are required to be part of an interoperable strong authentication framework.
• From a technology vendor’s perspective
  
  • Lack of standardization leads to proprietary work throughout the technology stack
  • Lack of re-use of existing services and standards results in inefficient development efforts
  • Technology partnerships to extend offering suites require significant integration efforts