Why identity management and strong authentication are converging

There surely is a paradox here: Which! Magazine reported back in March of this year that one in four adults in the UK has either been the victim of identity theft, or knows someone who has. In the US, identity theft is said to be the fastest growing crime. But more and more of us are going online. And every service that we access or transaction that we make electronically has clues to our identities attached to the service requests. This makes it a heyday for thieves, who are coming up with innovative new schemes to fraudulently rob us of our identities.

Implementation of identity management technologies is a top priority for many companies now. Through deploying these technologies, companies hope to gain efficiency and cost reductions in their administrative processes, improved productivity through real-time access to resources when required, and an improved ability to prove regulatory compliance by being able to audit who accessed what, when and what they did with it. Key technologies involved include provisioning, single sign-on, access control and authentication.

Even within companies it is not always an easy task to map the identities of all employees to the computer applications and resources that they need to do their jobs. For this reason, identity management technology vendors provide the ability to group access rights by role in the organisation or by groups, such as a geographical sales team, that a resource belongs to. This eases greatly some of the administrative burdens involved in mapping identities.

But companies are increasingly looking to extend their services to business partners and customers, opening up parts of their corporate networks so that they can provide services to persons external to their organisations. This is known as federated identity management. Such technologies are relatively new and technology standards are still in development. However, one body that is involved in developing standards for federation, the Liberty Alliance, states that its members alone had deployed federated identity management to 400 million users by the end of 2004. By the end of 2006, it expects that that number will have increased to one billion.

One billion? That is around one in six persons in the world. That may sound improbable but, in many vertical sectors, companies are implementing federated identity management in order to better provide services to customers. Banks, for example, want their customers to do business with them electronically via the internet. In fact, the ATM system put in place by banks is one of the earliest examples of federation technology: banks operate a circle of trust among themselves that, when someone who is not a customer of a particular bank withdraws money from a rival’s ATM machine, the customer’s bank will repay the withdrawal from its own vaults.

But banks are increasingly finding that they are being targeted by fraudsters, with threats including account hijacking, phishing and many other social engineering attempts targeted at consumers. It is an absolute must that banks provide secure communications channels for their customers—and the largest ones are already looking at doing this by including their customers in federated identity programmes. This is one of the factors that will drive the absolute numbers up so far.

But government mandates are also going to play their part. US regulators have recently started demanding that banks use strong two-factor authentication for consumer access and this follows on from demands that all federal employees be issued with, and use, two-factor authentication in the form of smart cards. Strong authentication goes hand in hand with advanced identity management—especially using technologies such as single sign-on in a federated environment, where it is essential that service providers can accurately, easily and securely identify the persons that they are providing services to.

Developments such as these will drive the market for strong authentication—and, by association, federated identity management, as service providers look for efficient frameworks from which to drive their offerings. This is already being seen in the fact that strong authentication technology providers are moving into the identity management arena. There are already strong incumbents here in the form of Entrust and RSA Security, but others are acquiring and entering the fray. It won’t be long before you have strong identification credentials in your wallet and are part of a federated identity management programme yourself.