Easier done than said: The challenge of third-party digital identity credentials


Her Majesty’s Government is making a bold commitment that new digital transactions from central government departments such as the DWP’s Universal Credit will adopt a federated model for identity registration and credential authentication so UK citizens don’t have to create yet more user names and passwords. This approach will require close collaboration and dialogue with industry to create the needed schemes or trust frameworks that will organize the technical standards, policies and best practices needed to proceed.

The UK Cabinet Office’s Identity Assurance Programme (IDAP) will work with the Open Identity Exchange (OIX) in two ways:

  1. Through a “UK IDAP Working Group” to create a structure through which organizations can participate or monitor the development of the initiative. The challenges of interacting online with customers are not confined to the public sector. The expertise amassed through OIX’s working groups can help inform current procurement plans and future regulations in this area where they are needed.
  2. OIX provides a means of engaging with partners to structure alpha projects that experiment with solutions to real-world problems. These projects will morph and scale into production solutions. OIX enables open communication and discussion of these projects and brings global expertise to bear on the problems on the scale and complexity of procurements like the ones Cabinet offices must assist.

But this is only the beginning of the working group process. OIX, like the problems it is trying to address, is international. It was set up in the US at the request of the White House. However, the issues of trust in digital transactions don’t stop at national boundaries, which is why we have to work collaboratively across organizational and national borders to address the problem. While government has an important role to play, it can’t impose an answer on such a complex and quickly evolving problem space like digital identity. A good place to start would be for government to simply take its place at the table, among large and small organizations, as one of many stakeholders.

A checklist for identity assurance working groups

The goal of the IDAP is not unlike most digital identity efforts, which is to improve upon today’s market for third-party Internet identity credentials. In the rubric of the identity management aficionados, an improved market would consist of attribute providers, networks and/or identity providers (third parties providing key attribute/credentials use to gain access to online services) and “relying parties” (organizations providing the services people want).

An improved online identity ecosystem like the one the US NSTIC aspires to assumes identity attribute providers (AP) create value or make money providing these credentials, and relying parties (RP) save money by using a third-party service. Given this assumption, the OIX’s UK IDAP Working Group must tackle several important questions, including:

  1. What are the critical elements that either encourage or inhibit a robust market for third-party credentials?
  2. How does HMG’s Cabinet Office in the context of an working group encourage what they say they want, or prevent what they don’t we want, from occurring? Knowing how they relate allows the new working group to better understand the real chances of success.

With that, here is a draft “To-do” checklist that’s meant to help inform the Working Group’s charter:

  • A preference for (when possible) open identity technical standards like OpenID.
  • Operational and quality (assurance) standards that establish a scheme or trust framework assessors/auditors like tScheme can use.
  • Perceived and real strength in the face of formidable bad actors committing fraud and theft.
  • Ease of use for the UK citizen user experience (UX).
  • Coherent and actionable privacy and liability requirements and law.
  • Perceived and real risks associated with data retention policies and the subsequent mining of said data.
  • Cost: Who pays for what?
  • Legal and policy frameworks that establish safe harbors and practical allocation of each actors duties for liability management.
  • No-cost, risk-free credentials issued by state and federal governments.

This list is in no particular order. The items range from obvious necessities for success (such as technical standards) to factors that tend to discourage use and create doubt on the part of potential stakeholders (such as government-mandated back doors) to breakthroughs on governance (such as safe harbor language).

Most efforts in the digital identity arena have focused on one or two of these elements. But to create conditions conducive to the healthy ecosystem that the Cabinet Office wants, the Working Group needs to promote real progress in multiple dimensions.

This isn’t to say that all IDAP’s efforts must focus on all of these items, or that the new working group must try to solve all problems simultaneously. That’s obviously impractical and unrealistic. But if those working on one essential item on a given procurement and aren’t aware of the other items, and how those items might impact what they are working on, they could be making a mistake, wasting time, or working at cross purposes.

Progress is required on multiple fronts

Vendors have a proclivity for solving the same problem over and over. Many keep writing new authentication specifications, and having semantic debates over the same terms every time someone proposes yet another spec. The UK Cabinet Office and OIX working groups need to ensure progress on multiple fronts if we are to see the market for third-party credentials emerge.

Many well-intentioned people are working in different organizations and jurisdictions on this list, debating societies abound. The OIX’s UK IDAP Working Group will begin with a charter that looks to many sources for help, reflects where we stand in the ecosystem today, and lets that status determine the Group’s priorities.

Finally, we can’t let progress be hampered by the quest for perfection. The three A’s of online identity — authentication, authorization and account management — need to be unpacked into different problem sets for different subgroups. The new Working Group needs to be mindful not to roll up too many objectives such as:

  • Mitigate identity theft
  • Improve usability
  • Improve privacy
  • Streamline registration and on-boarding processes
  • Enable attribute identity providers (IdP) to make money in new ways

Instead of dealing with the technologically straightforward problem of the provenance of personal data and identifiers, the identity community has tried to re-architect the very way that parties transact. We’ve tied technical capabilities into intractable legal knots. When most business today involves bilateral arrangements, and it’s common for the RP to be the IdP, the OIX UK IDAP Working Group will take a very radical step to move to multilateral schemes and trust frameworks that embrace both legacy business models and new requirements.