You are probably familiar with social log-ins, where instead of creating new credentials you log into a site by connecting to your Facebook, Twitter, or other social media account. By simply clicking a couple of buttons you are able to create a new account or log in to an existing account – no username or password necessary.
A more recent trend has emerged in which companies have applied a similar concept toward verifying a person’s identity by connecting to their Bank Account, Utility Account, or other trusted site. The move towards using “trusted identity providers” stems from solid ground. In response to the National Strategy for Trusted Identities in Cyberspace (NSTIC) signed by President Obama in April 2011 a combination of public and private sector organizations and individuals have formed the Identity Ecosystem Steering Group (IDESG).
While it continues to be a work in progress, the Framework published by IDESG (The Identity Ecosystem Framework) calls for the use of trusted Identity Providers for identity verification. The primary reason for this approach is increased privacy – with the recommended framework businesses (Relying Parties) seeking to verify information (Attributes) about an individual could do so while only accessing the information they need.
There is no doubt that the approach suggested by the IDESG Framework would benefit privacy and convenience, but current implementations of this approach also present security challenges that need to be addressed. Tomorrow’s post will discuss the security challenge of current implementations in greater detail.