Strong Authentication
Stronger authentication has become a top priority for many Liberty members as well as for organizations and consumers around the world. The formation of the Strong Authentication Expert Group is a natural addition to Liberty’s mission of addressing “all things identity” and was formed to speed the deployment of interoperable strong authentication on a global basis.
Stronger authentication has become a top priority for many Liberty members as well as for organizations and consumers around the world. The formation of the Strong Authentication Expert Group is a natural addition to Liberty’s mission of addressing “all things identity” and was formed to speed the deployment of interoperable strong authentication on a global basis.
Today, many organizations rely on passwords alone as the primary form of authenticating users online. And while passwords serve as adequate protection in a variety of network scenarios, organizations and consumers now need more than passwords alone to protect against online fraud and identity theft. Strong authentication requires at least two forms of identity authentication for accessing a network or online application. This often means, combining something a user “knows,” such as a password, with something a user “has,” such as a code from a token, DNA, etc., to ensure secure online authentication.
Organizations have both deployed and are investigating many forms of strong authentication. These include hardware and software tokens, smart cards, SMS-based systems and biometrics. All of these systems offer strong authentication capabilities and are deployed within various organizations and vertical market segments around the world.
While many organizations have deployed stronger authentication technologies, many more are facing challenges as they move to meet the demand for increased security and identity protection. Most of today’s strong authentication solutions have been built using proprietary technologies and developed based on the requirements of specific vertical market segments. Many of these solutions have not been developed to interoperate with one another and can be costly to deploy. Liberty’s Strong Authentication Expert Group will aim to remove these barriers and help organizations in all vertical segments move to deploy universal strong authentication faster and more cost effectively.
This means providing strong authentication from any network and from any device, at any time. This “anywhere and anytime” functionality is what Liberty’s Strong Authentication Expert Group is working to deliver. With universal strong authentication, organizations can offer consistent strong authentication capabilities across networks, applications and vertical market segments. This far-reaching protection will help organizations and consumers dramatically reduce the threats that can lead to online fraud and identity theft.
In order for universal strong authentication to become an industry-wide reality, an open framework is required to allow the varying types of strong authentication solutions to interoperate with one another. Liberty’s Strong Authentication Expert Group will develop ID-SAFE (Identity Strong Authentication Framework), a framework based on open standards that will allow strong authentication solutions such as smart cards, tokens and biometrics to easily interoperate across organizations, networks and vertical market segments.
Since Liberty formed the group in October 2005, there has been exceptional interest among our membership. Some of the members currently participating in the Strong Authentication Expert Group include American Express, BMC Software, Diversinet Corp., Falkin Systems LLC, Financial Services Technology Consortium, Gemalto, HP, Intel, Kantega AS, NEC, NTT, Oracle, RSA Security, US Department of Defense / Defense Data Manpower Center, Vodafone, VeriSign, Inc. and Wave Systems. Membership in the Strong Authentication Expert Group is open to all Liberty sponsor and board members interested in helping to drive interoperable strong authentication.
Any organization needing to implement stronger authentication will be interested in taking a close look at ID-SAFE and becoming involved in its development. While many organizations are moving to deploy some means of strong authentication, others may be compelled to do so based on customer demands, business requirements or some type of government regulation. The recent guidance issued by the US FFIEC is a good example of how governments are approaching strong authentication issues.
In October 2005 the Federal Financial Institutions Examination Council (FFIEC) released “Authentication in an Internet Banking Environment.” Developed for banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using on-line products and services. Financial institutions will be expected to achieve compliance with the guidance no later than year-end 2006.
Yes, and while the type and extent of guidance issued by governments tends to vary from country to country, Australia, Belgium, Brazil, Denmark, Hong Kong, Singapore and the UK, are either requiring or promoting some degree of strong authentication in various vertical segments. We will undoubtedly see other governments implement similar requirements for stronger authentication during the coming months.
While there can be no doubt that the work of the group will help financial organizations around the world meet requirements for stronger authentication, the need for universal strong authentication is very real across all vertical segments around the world. Liberty formed the group to help all organizations meet the increased demand and requirements for stronger authentication.
Liberty is modeling the ID-SAFE technical development process on the successes we have had in quickly developing open identity specifications for federated identity management (Liberty Federation Framework, ID-FF) and Web services (Liberty Web Services Framework, ID-WSF), resulting in rapid deployments and worldwide implementations. It took less than seven months from the time Liberty was formed in 2001 for us to deliver our first set of open identity specifications and we intend to replicate this pace with the development of ID-SAFE.
Liberty’s consistent approach to developing open identity frameworks and specifications always involves gathering market requirements before technical specifications are developed. This means working with members that include end users, governments, educational organizations and vendor members, to define specific use scenarios, and then submitting these tightly defined scenarios to a technology group for specification development. The result is specifications that are easily deployable and applicable “out-of-the-gate” to well defined end user needs.
Yes, there are organizations that have been doing some preliminary work in interoperable strong authentication. But if the industry is to meet the growing demand for better online security and identity protection, a global effort spanning all vertical segments and worldwide regions is required. With members including government organizations, businesses and end users from around the world, Liberty has the experience and membership to speed the deployment of interoperable strong authentication on a global basis.
Liberty Alliance regularly incorporates relevant work from other open standards bodies into its specifications and welcomes any open standards organization to participate in the development of ID-SAFE.
ID-SAFE will drive the costs of implementing strong authentication down while allowing organizations to deploy better security and identity protection across all vertical segments. Widely deployed strong authentication will provide companies with opportunities to focus more on developing new business lines and e-commerce offerings without having to rely on passwords alone for identity protection.
With Liberty strong authentication, consumers will have increased protection against identity theft and fraud, a seamless user experience across networks and advanced privacy protection – from anonymous to strong – based on individual user consent and controls.
Work stemming from Liberty’s new Strong Authentication Expert Group goes hand-and-hand with the work we have been doing in open, interoperable identity specifications. The key word here is “interoperable.” For example, one concern already cited in the financial sector is the emergence of “token necklaces,” requiring consumers to have multiple tokens for authenticating at the various financial organizations where they have accounts. ID-SAFE aims to enable these strong authentication mechanisms to interoperate, reducing costs, increasing security and improving ease of use.
Market requirement work for interoperable strong authentication has been ongoing for the past year and the group is leveraging this work to develop ID-SAFE. Based on our history in bringing open specifications to market quickly, we expect to make significant progress in 2006.
We see the first news surrounding ID-SAFE focusing on the release of the initial framework and draft specifications. Once Liberty releases a draft version of specifications, they are available to everyone – both Liberty members and non-members alike -- for comment and review. The Strong Authentication Expert Group then works to incorporate input from the review into final specifications.
Detailed information is available on our Web site at www.projectliberty.org. Organizations and individuals interested in joining Liberty’s Strong Authentication Expert Group can contact membershipinfo@projectliberty.org.