The following notes address current initiatives for the creation of an identity “assurance market”. This has been a permanent area of interest in the public and private sectors for years, but a complete solution has not been found to date.
The text below discusses the problems arising from the trusted third party or hub approach as well as related issues with identity data management.
The essence of the “assurance market” proposals is to engage the private sector to develop identity assurance services for public and commercial electronic or digital exchanges. Such assurance services would ensure that citizens and customers could easily and securely provide trustworthy identity and other personal information to the Service Providers.
This stance represents a new direction in the thinking of the public agencies and technology organisations in an outside of the Governments. In the past, the consensus position was to aim at centralised authentication services in the form of Government Gateways or “bridges” supported by publicly managed assurance mechanisms (using official identity credentials). For example the Belgian and UK public gateways, were designed to operate as a generic federation hubs for all government departments.
The new stance shifts the provision of “assurance services” to the private sector. During the debate, the proponents of this change suggested generic benefits of the extension of digital services to a wider segment of the population, more or less the same benefits as those advertised in previous centralised “gateway” strategies.
The change to the new schema is justified in terms of reducing the complexity and number of the user authentication mechanisms required by public entities within a general move towards e-Government. Payment and benefits fraud is also a consideration, but not in all cases, as the main driver seems to be the reduction of operational and authentication-related costs for public services.
The main positive factor in favour of the new approach seems to be that the private sector would help the government to accelerate digital services adoption, but it is not clear how. Countries with different levels of national identity policies and instruments have also various approaches to this problem.
It is not clear, for example, how the multiplication of assurance services would facilitate e-services adoption? In fact, even in the context of strong commercial, legislative and regulatory environments, it is not clear how a diversity of assurance services would help with wider or faster adoption. Obviously where that regulatory and market environment is missing, the problem is even deeper.
I think that there is a lack of understanding of the effects of multiplying “assurance services” and some level of confusion between the different concerns of “identification”, “assurance”, “authentication” and “identity provisioning”.
It is clear that the e-services strategy held by various European governments is based on the goal of reducing the cost of identity assurance by creating an “assurance” market, hopefully with the concurrency of the private sector. There is an expectation that a Government-created market (which would be supported by making it mandatory for citizen-agency interaction and transactions), would be able to reduce the cost of “assurance” for the government. This motivation should be at the centre of the discussion, instead of the more generic suggestions that the strategy would primarily “improve” services for the citizenry.
The assumption is that the private assurance services would be commercially priced but mandatory– while at the same time being diverse– does not seem to reflect appropriately either on the costs for the citizens nor the business case for the private sector. If the cost-reduction driver were clearer, the discussion would be more productive I believe.
The key problem hampering this vision is that the intended commercial, legislative and regulatory environment is mostly focused on users of public services. What about the private service offerings? In theory, the same private assurance providers could also sell services for other markets, but it is unclear how a Government-mandated and regulated sphere of services would coexist with the unregulated services. This uncertainty would need to be removed, perhaps with a different approach to gain more private participation.
The proponents of these strategies also assume that a significant segment of society in each country will not use digital public services, or may require personal assistance when using these. The strategy would not work then if the market did not develop appropriate offline services? Here we see a potential conflict between the drive to reduce operational costs, the transfer of assurance services to the market (effectively the citizen-consumer) and the potential denial of benefits for the entire population.
At a different, in terms of Security Management concepts and principles, the assurance service strategies pose important challenges for the private sector experts and leadership: While the main direction of the strategy is to generate a “market” for “assurance” services, there is a non-explicit assumption that there will be or should exist a market for “authentication” services. In other words, there is confusion or at least a conflation of two different security capabilities (authentication and assurance).
The term “assurance” should be used in the context of user identification and verification (ID&V) and should be treated separately from authentication capabilities (i.e. online credential validation and authenticated user data propagation. The term assurance is frequently used incorrectly, conflating the Identification and Validation process (ID&V) with the Authentication process. It is true that almost all services—public and private– require the user to go through some form of initial registration and then through subsequent login procedures. These two steps have different requirements and practical solutions, but in many public and industry documents we see they are not differentiated.
The question arises as to the proposed “assurance” services: are these focused on the ID&V phase, the authentication phase? Will there be a combination of the two? This differentiation will become critical in time, because if and when an “assurance services” market is created and made obligatory –independently of what we may think about the notion of an obligatory “market”– , not all participants can have the same ability, quality and interest to “assure” as well as to “authenticate” an identity.
Greater levels of assurance come from the combination of multiple identity instruments or credentials, especially those which can be traced back materially (physically, biographically, biometrically) to the biological individual. What is then the exact meaning of assurance in this context?
The lack of differentiation between “assurance” and “authentication” generates other complex problems which need to be addressed. A private “assurance” provider with access to public information (for example birth records or passports) will have more “assurance quality” than a provider selling “assurance” on the basis of privately operated ID&V or with less capacity to aggregate such data. On the other hand, an “authentication provider” does not need to be an “assurance provider”, but just operate in a federation or “circle of trust” with the “assurance” provider. Once this is understood, it will become clear that the “assurance provider” may or may not be in possession of original identity data. In fact, in more technical terms, the current “assurance market” initiatives have weak distinctions between four interrelated but never identical Security concepts: “Identity Provider”, “Assurance Provider”, “Attribute Provider” and “Authentication Provider”.
In the standard Federation architecture the Identity Provider is at the same time an “assurance”, “attribute” and “authentication” provider, given the fact that the main participant in the federation is also the “owner” of user ID&V process and data. Differently, in more advanced scenarios the four functions indicated above are separated. For example, in an “assurance provider” could operate with identity data provided by a government agency, while the authentication provider could be a trusted third party in a federation.
If we consider a functional differentiation of the processes, questions arise about ownership of the data, data privacy and data protection. I believe that none of these questions has been resolved either in the public or the private sector in the context of the “assurance market” initiatives.
It is important to see that if the level of “assurance” provided by a private organisation depends on the quality of data provided by public agencies, it is difficult to see how this will match a strict public service rationale for the proposed scheme: Another conflict becomes apparent between cost off-loading to the market (the consumer) achieved by means of commercialisation of citizen and consumer data.
This takes us back to the initial centralised e-government strategies. Originally, these explicitly sought to use the identity data stores in possession of public agencies in order to build standard “federations”; now, the assurance market proposals assume that identity data stores of the consumers will be a highly diverse mix of data repositories under private and public ownership, as well as private aggregations of citizen identity data. This contradicts the general goal of government-validated identity or central authoritative sources, while at the same time relies on exporting the assurance function to the private sector. The situation will be quite different depending on the type of data that the public agencies are able to master and provide.
In some countries, private providers –if they find interest in this market–will need to use national identity cards to reach a high level of “assurance”; while in other countries public information will be more diverse in quality and coverage (for example entire segments of the population may be missing from certain types of sources).
Therefore, in the whole, the consequence could be not only that operational assurance costs are off-loaded to the public, but also that assurance quality could become uneven and would not have a direct link with public authoritative sources. The loss of a direct link may be moderated by means of regulation and industry standardisation, but this opens a wider discussion as to the use of data, data privacy, end-user opt-out rights, data ownership, and data access rights.
Another implicit inefficiency of the proposed strategies is the generation of different (probably many) identity data stores both in and out of government agencies with differing quality, integrity, completeness, etc. This means that the overall costs (at national level) of identity verification would be multiplied. Nothing would ensure the convergence of the identity data stores even if the Regulator controlled the new “market”, because the private suppliers would aim at the lowest cost of providing “assurance” for the mandatory transactions. On the other hand, premium services, which already exist for other markets, will rely on different, higher data quality and more complex data aggregation processes, hence increasing and not lowering the heterogeneity and overall cost of the identity data stores.
It is frequently assumed that a citizen-customer will not have to register with each digital service, and that he or she will not have to remember login details for each one. This is another level of the problem, and a consequence of the conflation of assurance and authentication. The problem is that the “assurance market” proposals wrongly expect that it would immediately ensure a uniform use of “authentication” credentials across services. The implicit assumption is that the authentication technology for the entire market would trust identities validated by the “assurance suppliers”.
This is normal in Federated Identity Management architecture, but in those cases all the participants in the trust circle have interoperable technologies and standards and also direct or indirect (transitive) trust relationships between them. It is evident that the strategy proponents expect that all providers and all participants in the scheme will have to invest and update their security infrastructures.
Precisely because the schema would require investment and infrastructure updates, the coexistence of numerous assurance providers, identity providers, attribute providers and authentication providers would increase the need for the public agencies to validate, maintain and secure citizen data and their own security solutions infrastructures. For example, for each public agency it will be necessary to implement an identity data, attribute mapping service to correlate trusted identities with the local data stores.
It is therefore not advisable to think that it will be easy for the public services to migrate all their users to the new schema. In fat it should be expected that most public agencies will need to continue managing their users and will want to do so.
In the medium to long term I expect the development of different approaches to the assurance market, especially based on the distinction between assurance and authentication, and developing new federation architectures with separate roles for identity, service, attribute and assurance providers. In all cases though, I also expect identity data to be distributed (except for countries which have established national identity credentials), and also an increasing, hopefully mass adoption of user centric assurance and authentication solutions.