The National Strategy for Trusted Identities in Cyberspace (NSTIC) released by the Whitehouse last month, is a proposal for a new “ecosystem” of diverse Internet IDs. It is the latest incarnation
of Federated Identity, where identification established with one service provider can be re-used with other services.
In the words of Whitehouse
cyber security chief Howard Schmidt: “Imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log in to her bank, her e-mail, her social networking site, and so
on, all without having to remember dozens of passwords”.
NSTIC adopts the now orthodox federated identity idea of “trust levels” or “Levels of Assurance” (LOA). The US National Institute of Standards and Technology has settled on a
four point LOA standard. The idea is that different transactions carry different risks and need to be matched to the right LOA: Low, Medium, High and Very High (or words to that effect). And if different business domains can settle on a common language
for describing risk and trust, then their identities should be able to interoperate. It’s intuitively attractive, but in practice difficult to apply, especially in banking, where there are strict regulated protocols for identifying customers.
As bankers contemplate federated identity and the opportunities brought about by the voluntary NSTIC, I have some questions:
- How do banks feel about taking on the new role of “Identity Provider” in the identity ecosystem? Is it a commercial opportunity? Or maybe a strategic social media opportunity to facilitate their customers' participation in cyber communities?
- How do banks feel about accepting identification of new customers performed by other banks? By Paypal? By government agencies? By universities and phone companies? By Facebook?
- What are the regulatory implications of moving to the new language of “Levels of Assurance” when identifying customers? How will KYC rules and regulations need to be adapted?
- How will banks manage the risks arising when their customers use bank-issued “identities” to transact in other settings (retail, telecoms, e-government, e-health) over which the bank has no control?
- If a bank is to sanction the use of the “identities” it issues (e.g. OTPs, smartcards, apps) in other settings, what changes will be needed to its customer agreements?