The Evolving Identity Stack
It has been said that the greatest thing about technology standards is that everyone has one.
While the quip may elicit a chuckle, the goal of standards-based identity, authentication and authorization is no laughing matter. The best known and most widely used interoperable, cross-platform standard today for identity and account access is the username and password. And that’s a joke in terms of security, the punch line being billions of hacked user accounts.
As 2018 came to a close, there was light on the edge of the Identiverse, and the industry may be the closest it has ever been to realizing an interoperable set of standards-based identity, authorization and authentication tools to couple with emerging standards and attitudes around online transactions, data collection and privacy.
Today, standards from the World Wide Web Consortium (W3C), the FIDO Alliance, the OpenID Foundation (OIDF), the Internet Engineering Task Force (IETF), the Organization for the Advancement of Structured Information Standards (OASIS) and the National Institute of Standards and Technology (NIST) help form a foundation that extends across the web to address authentication, authorization, federation, account management and government regulations emerging worldwide. The newest standards efforts include the W3C, which creates and governs standards for the web. The W3C is on the verge of completing an application programming interface (API) called Web Authentication (WebAuthn) that would make the browser a ubiquitous public key cryptography authentication client, with the ability to talk to any application supporting the standard.
The three major browsers already support it: Google Chrome, Microsoft Edge and Mozilla Firefox. Apple released a Technology Preview of its Safari browser late last year that includes support. Google Android and Windows 10 also offer Web Authn support in their platforms.
In tandem, the FIDO Alliance is working on a standards-based protocol that would allow one device, such as a phone, to talk to another device, such as a laptop, therefore turning the first into a portable authenticator capable of providing to the latter (and other devices) access credentials based on public key cryptography. FIDO is close to completing work on the technology called the Client To Authenticator Protocol 2, which is part of the FIDO2 project along with WebAuthn. And just last month, the International Telecommunications Union’s Telecommunication Standardization Sector (ITU-T) recognized FIDO UAF and CTAP1/U2F as international standards.
The OIDC’s OpenID Connect standard, which was published in 2014, adds federation and identity services to the standards mix. Vendors that use the technology include Amazon, Deutsche Telekom, Google, Microsoft, Ping Identity, the Norwegian Government and General Electric.
In the past few years, OIDC has built hooks to add FIDO’s public key cryptography authentication as an option to eliminate passwords as a security boundary. OIDC is built on top of OAuth2, a standard authorization framework published in 2012 and used by applications for access to user accounts. OAuth2 has become bedrock for other identity and access management standards, including the System for Cross-domain Identity Management (SCIM), which is a provisioning standard first conceived by the Open Web Foundation in 2011 and standardized at the IETF in 2015.
OAuth2 is also found in OIDF’s Financial-grade API (FAPI) that combines structured data with OAuth’s token model. FAPI is an IETF standard that has been adopted as part of the security profile for the U.K.’s Open Banking initiative. It also includes OIDF’s Client Initiated Backchannel Authentication profiles for authentication requests without routing through a browser. OIDC, SCIM, and OAuth2 are the major architectural “pillars” of standards-based cloud identity. The Security Assertion Markup Language, standardized at OASIS in 2002, is part of the group, but is slowly being supplanted by OIDC.
To provide context on the growing importance of standards, in June 2017, NIST updated its four-volume Digital Identity Guidelines, 800-63-3, defining a set of parameters for secure identity, including enrollment and identity proofing, authentication and lifecycle management and federation of assertions. Many of the standards mentioned in this article apply to the guidelines.
U.S. government agencies are directed to use these guidelines as part of implementation and risk assessment, but the guidelines are not restricted to the U.S. government and are suitable for open networks. NIST’s guidance points out the value of purpose-built standards developed for use in combination with other standards. The point being flexibility and choice with intermittent periods of innovation and adoption, much like OAuth has evolved.
Standards, however, are not enough.
Today, there are forcing functions that provide reasons for building a network around standards. In Europe, the General Data Protection Regulation (GDPR) is exerting enough financial—and other—pressure that companies are speeding up adoption of security solutions including authentication, which is mandated within the directive. Those who run afoul of the GDPR can face maximum fines that call for up to $20 million or 4% of a company’s worldwide annual revenue of the prior financial year, whichever is higher.
In the EU’s financial sector, enterprises that must comply with the Payment Services Directive (PSD2) are examining authentication standards such as FIDO that provide standards-based security options to meet the regulations. These mandates mean global companies operating in the EU must execute on a defined identity and access management strategy or face legal consequences.
While the development of standards and regulations that hasten their adoption are in full flight, you can’t ignore previous failures in solving authentication, authorization and identity problems.
In addition, enterprises and online sites will have to overcome the difficult task of re-training developers and users. And there are other concerns around lifecycle management of standards-based identity and access, including credential issuance, recovery and revocation.
It won’t be a road without bumps, but it appears there is a solid group of standards taking aim at actual enterprise issues in need of solutions. If the Identiverse can pull all those things under the same force of gravity the industry could soon realize important milestones.