Liberty Alliance Project – November 8, 2005 — The Liberty Alliance Project, a global consortium for open federated identity and Web services standards, today announced the formation of a global, cross-organizational expert group focused on developing open specifications for interoperable strong authentication. Liberty’s new Strong Authentication Expert Group has been created to speed the worldwide deployment of interoperable strong authentication and to help organizations meet new industry-wide demands for universal strong authentication solutions.
The Strong Authentication Expert Group (SAEG) leverages the work Liberty Alliance has been doing for the past year in defining clear market requirements for appropriately deploying strong authentication in a federated network. The group will expand this work beyond federation to build ID-SAFE (Identity Strong Authentication Framework), an open framework to allow strong authentication solutions such as, hardware and software tokens, smart cards, SMS-based systems and biometrics to interoperate across organizations, networks and vertical market segments.
“With increasing industry demand for better protection against online fraud and identity theft, there can be no question that the time for universal strong authentication has come,” said Timo Skytta, vice president of the Liberty Alliance. “By forming the Strong Authentication Expert Group, Liberty is committing to rapidly deliver well defined and highly deployable solutions to help organizations meet new and pressing requirements for stronger authentication.”
On October 12, 2005, the US Federal Financial Institutions Examination Council (FFIEC) issued new guidance for banks on online authentication, which acknowledges that passwords alone are insufficient as the only means of security to protect a consumer bank account. This new guidance calls on banks to implement better ways to authenticate the identity of customers using online products and services. While governments and organizations around the world have moved to implement similar requirements, financial institutions based in the US are expected to achieve compliance with the new FFIEC guidance by the end of 2006.
Liberty’s ID-SAFE will help all organizations more easily meet the challenges in implementing solutions consisting of more than usernames and passwords to strengthen online authentication. “Gartner predicts that by 2007, 80 percent of organizations will reach the ‘password breaking point’ and will need to strengthen user authentication with alternative security methods,” said Ant Allan, research vice president at Gartner. “Businesses need to put roadmaps in place now that will allow them to phase out passwords and replace them with stronger authentication methods.”*
Strong authentication requires at least two forms of identity authentication for accessing a network or online application. Liberty’s ID-SAFE will offer standards-based online identity protection to allow organizations to deploy interoperable strong authentication faster, more cost-effectively and on a wider scale.
Widely deployed strong authentication based on ID-SAFE will provide organizations with opportunities to focus more on developing new business lines and e-commerce offerings while being able to rely on universal strong authentication that is easy to deploy and manage. Consumers will benefit from ID-SAFE with increased protection against identity theft and fraud, a seamless user experience across networks and advanced privacy protection based on individual consent and control.
“The lack of strong authentication in the online space is demonstrably one of the most significant causes of identity theft,” said Michael Barrett, co-chair of the Liberty Alliance Identity Theft Prevention Group, and VP Security/Utility Strategy at American Express. “The recent FFIEC guidance on strong authentication will likely change how organizations manage online identity threats, but initiatives for addressing these issues need to be coordinated via agreed industry standards – and that’s where the Liberty Alliance has a strong track record of fast delivery.”
Liberty is modeling the ID-SAFE technical development process on the successes Liberty has had in rapidly driving open identity specifications for federated identity management (Liberty Federation Framework, ID-FF) and Web services (Liberty Web Services Framework, ID-WSF) resulting in extensive deployments and implementations worldwide. Working in a collaborative, non-proprietary and multi-vendor environment, the group expects to release the first version of ID-SAFE specifications in 2006. Liberty Alliance regularly incorporates relevant work from other open standards bodies into its specifications and welcomes these organizations to participate in the development of ID-SAFE.
Liberty Alliance Strong Authentication Expert Group Member Quotes
Axalto – “For 25 years Axalto has been committed to market expansion through the encouragement of open standards. We are excited to work through Liberty Alliance and the new Strong Authentication Expert Group to promote a framework that makes digital identities and strong authentication easier to use. The formation of the SAEG closely matches our internal initiatives for Axalto’s Protiva Strong Authentication product line and we believe efforts of the SAEG are key to ensuring cost effective, flexible solutions to secure the future of our digital world.” – Marvin Tansley, Vice President Products, Axalto
BMC Software – “BMC Software is committed to working with the Liberty Alliance Strong Authentication Expert Group to promote strong authentication interoperability for federated identity management solutions. With rise of identity theft and regulatory requirements for better identity verification and authentication, more and more organizations are interested in strong authentication solutions. Delivering secure, interoperable solutions that leverage Liberty standards help our customers establish trust in their environments and better leverage their federated identity management solutions.”- Doron Cohen, CTO of the Identity Management Business Unit, BMC Software
Diversinet Corp – “As consumers around the world become more concerned with the repercussions of identity theft, strong authentication is quickly becoming a basic requirement. Diversinet is very pleased to support the formation of the Liberty Alliance Strong Authentication Expert Group, and we look forward to the opportunity to contribute our knowledge and experience in consumer-scale strong authentication gained from our MobiSecure soft tokens and over-the-air provisioning services.” – Stu Vaeth, Chief Security Officer, Diversinet Corp.
Falkin Systems LLC – “Without trusted, reliable strong authentication that is user centric and controlled, the reality of the Internet as the prime channel of and for commerce, society and government will never come to pass. Positive verification and validation rather than simply authenticating possession of a token and knowledge remains the single most important solution to securing value, reputation, and safety. Industry’s solutions must put identity safely and accurately back in the user’s control. We at Falkin Systems believe that only through cooperation with the end-user community and with each other will the solution vendors solve the complex and future defining problem of digital identity and authentication. The Liberty Alliance remains as one of the main collaboration community to solve this and provide a language, grammar, and vocabulary to digital identity. We look forward to working with our peers to solve today’s most elusive problem.” – Rob Marano, CTO, and Dr. Simon Ben-Avi, Chief Scientist, founders of Falkin Systems LLC, provider of the Universal Authentication Platform (TM)
Financial Services Technology Consortium (FSTC) – “FSTC is pleased to support the Strong Authentication Expert Group’s efforts to develop technology standards and practices. The SAEG and its efforts dovetail perfectly with FSTC’s Security Standing Committee and its Better Mutual Authentication initiative currently underway, involving 25 financial institutions, technology providers, and industry organizations. FSTC shares the goal of making it easier for consumers and corporations to adopt improved authentication practices.” – Zachary Tumin, Executive Director of FSTC
HP – “Interoperability of multiple authentication mechanisms in federated environments is a key enabler for security and privacy in online commerce, corporate remote access and secure mobile access. Enterprises in various industries across the world are facing the challenge of inadequate and weak identification technologies, brought to the forefront by the recent increase in phishing, identity theft, security and privacy breaches. Furthermore, enterprises are requiring strong privacy and data controls for regulatory compliance purposes. HP fully supports the formation of the Strong Authentication Expert Group (SAEG) within the Liberty Alliance and is pleased to be part of this market-driven team of customers, vendors and technology partners dedicated to define a secure, standards-based industry framework that enables interoperability.” – Todd DeLaughter, VP/GM of Management Software Business at Hewlett-Packard Co.
Intel – “Intel recognizes the critical need for computing, communication, health, and entertainment platforms to support a variety of strong authentication mechanisms in all market segments, from eCommerce to corporate networks, in a way that users can easily understand and manage. Liberty is well-positioned to appropriately balance the competing requirements of secure access and privacy to create an ID-SAFE framework that will permit providers to offer, and users to access, services with confidence.” – Raj Hazra, Ph.D., Director, Systems Technology Lab, Intel Corporation
Kantega AS – “Being a strong supporter of Liberty Alliance’s open standards for federated identity, Kantega is exited to join Liberty’s Expert Group for Strong Authentication. Kantega sees the development of open standards in this area as an important next step in developing federated identity for high security applications such as online banking. We look forward to contributing to this work based on our broad experience in strong authentication and federated identity.” – Gunnar Nordseth, CTO, Kantega AS
Oracle – “Key to the Liberty Alliance’s success is its ability to bring together enterprises and vendors to develop open standards. Today, organizations of all sizes and industries are demanding a standards-based means for improving protection against identity fraud and theft. Oracle looks forward to working with members of the Strong Authentication Group in order to meet the rising demand for standards supporting strong authentication.”- Roger Sullivan, Vice President, Identity Management, Oracle
RSA Security – “The formation of this Expert Group brings great promise for the truly open dialogue on strong authentication that the industry is looking for. The Liberty Alliance is unique in comprising a broad cross-section of end-users and vendors, and – as a founding board member with a long-running commitment to industry standards – we applaud the Alliance’s efforts in bringing these leading organizations together. We look forward to productive participation.” – Burt Kaliski, vice president of research at RSA Security and chief scientist, RSA Laboratories
US Department of Defense / Defense Data Manpower Center – “The Department of Defense is committed to working with industry partners to strengthen the assurance for federated identities and web services. The creation of the Strong Authentication Expert Group (SAEG) by the Liberty Alliance Project signals a recognition of the need for this increased assurance in all aspects of American life. In its Common Access Card program, the DoD has already made a great commitment to a strong identity smartcard credential. Working with industry to help define stronger identity assurance standards will help protect our service members, their families and all American citizens.”
– Greta Lehman, Director, Identity Authentication Office, Defense Manpower Data Center
VeriSign, Inc. “For strong authentication to achieve its true potential, fresh approaches are needed in the development and deployment of two-factor authentication services. Two years ago, VeriSign, along with several industry partners, sought to address the need for an open standards-approach with the creation of the Initiative for Open AuTHentication. VeriSign applauds the Liberty Alliance for also recognizing this need, and we look forward to contributing to the ultimate goal of an open, global and federated authentication service that benefits all Internet users.” – Kevin Trilli, director, product management, Authentication Services, VeriSign.
Wave Systems – Wave Systems has been involved with the Trusted Computing Group (TCG) since its inception working to define open specifications for standardized security building blocks. Wave develops trusted computing software and services solutions supporting the TCG standards. Today, one of the specifications with broad adoption is the Trusted Platform Module (TPM), an implementation done as a silicon chip which is being shipped in millions of PCs today. Products developed using the TCG specifications help answer the questions of ‘who are you’ and ‘can I trust you’, for both the user and their network devices. The Strong Authentication Expert Group within the Liberty Alliance provides an excellent industry forum to define how Liberty’s federated identity and web services standards can work with the TCG security specifications to provide complementary and interoperable approaches for assuring both the identity and integrity of people and machines.” – Lark M. Allen, EVP – Business Development, Wave Systems
About Liberty’s Strong Authentication Expert Group
Some of the members currently participating in the Strong Authentication Expert Group include American Express, Axalto, BMC Software, Diversinet Corp., Falkin Systems LLC, Financial Services Technology Consortium, HP, Intel, Kantega AS, NEC, NTT, Oracle, RSA Security, US Department of Defense / Defense Data Manpower Center, Vodafone, VeriSign, Inc. and Wave Systems. Membership in the Strong Authentication Expert Group is open to all Liberty sponsor and board members interested in helping to drive interoperable strong authentication.
About the Liberty Alliance Project
The Liberty Alliance Project (www.projectliberty.org) is a global alliance of companies, non-profit and government organizations developing open standards and business, policy and privacy guidelines for federated network identity. Federated identity offers businesses, governments, employees and consumers a more convenient and secure way to control identity information and is a key component in driving the use of e-commerce, personalized data services and identity-based Web services. Liberty specifications are deployed worldwide by organizations that include American Express, AOL, BIPAC, General Motors, France Telecom, Nokia, NTT and Sun Microsystems. Membership is open to all commercial and non-commercial organizations. A full list of Liberty Alliance members, as well as information about how to become a member, is available at
* Gartner Research “Passwords Are Near the Breaking Point” by Ant Allan. December 6, 2004.