Perhaps because it's just not natural!
Federated Identity is certainly one of the hotter topics in e-business and security circles currently. It promises to improve cost, efficiency and convenience of identity management -- an intuitively compelling package. But the impact on security is far
from clear, and the legal complexities have been badly under-estimated.
Buzzwords and easy metaphors fly around identity management and federation like no other field. A great deal depends on what is meant by “federation”, and indeed by “identity” and “authentication”.
So what are we talking about? The
Liberty Alliance is a big consortium working on federated identity standards and methods. Liberty defines Federated Identity as something that “allows users to link identity information between accounts without centrally storing personal information”. They
add that “in practice, this means that users can be authenticated by one company or web site and be recognized and delivered personalised content and services in other locations without having to re-authenticate, or sign on with a separate username and password”.
Yet authorisation can be more important than authentication: we need to assert not only who we are, but
what we are; e.g. bank customer number so-and-so, officer of registered business such-and-such, policy holder number X-Y-Z. In the real world we act in various capacities depending on what business we’re trying to conduct. That is, we make a number
of different assertions about ourselves (or “claims” as they are called in the
Laws of Identity).
It is here that security purists insist on separating authentication (proving who you are, aka your identity) from
authorisation (telling which capacity you are asserting). Moreover, purists claim that authentication has primacy over authorisation. But this is really splitting hairs. In the real world, authorisation is sometimes bound so closely to authentication
that it’s unhelpful to tease them apart. We can actually behave according to truly separate identities. Here’s an example.
I am an authorised signatory to my company’s corporate bank account; I happen to hold my personal bank account at the same bank, which naturally has given me two different key cards. When I bank on behalf of my company, I exercise
a different identity compared with when I bank on my own behalf, even if I am in the same branch or at the same ATM. There is no “federation” between my corporate and personal identities; it is not even sensible to think in terms of my personal identity
plus my corporate attributes when I am conducting business banking. After all, so much corporate law is all about separating the identity of a company’s officers and the company itself.
Now, authorisation turns out to be fiendishly difficult to federate. There have been a few bold attempts to share identity management infrastructure between banks but to my knowledge, not one has succeeded. The idea sounds great at first but in practice,
breaking down silos between businesses is really tough; witness the
struggles of the Trust Centre in Australia.
What's going on here? I think a big problem is that while we think we're talking about "identity" (which seems like an absolute, something with no competitive advantage) what's really involved is
relationships, and these are not so easily shared. Consider if I have an account with Bank A; what does it matter to Bank B? My relationship with Bank A might help bootstrap a new account with B; for instance B might be interested in my credit history
with A, and of course my 100 point check with A might carry over to B. But once I am up and running with B, then I will have a fresh account, a new key card, different account numbers and different relationships.
These relationships go hand-in-glove with legal agreements and terms & conditions that closely bind customer and institution. In all the federation schemes I have ever seen, a crucial missing ingredient is a legal framework in which the Ts&Cs crafted and
siloed between one bank and its customers can be carried over to another bank. What bank in its right mind would wish to be contractually joined to the dealings between its customer and a competitor?
The word "silo" is almost a term of abuse in business nowadays; we're encouraged to break them down, almost indiscriminately. But "silos" have good connotations too. The silos that safeguard our banking relationships, just like grain silos, are strong,
elegant, secure, and resistant to the elements. They're cemented by mature and well tested legal arrangements which, unsurprisiingly, are not so easily deconstructed and put back together again across otherwise totally separate organisations.