Earlier this week I shared a progress report on the work the IDESG is doing to build the nation’s identity ecosystem. In it I stated that a framework of identity standards, technologies and techniques will be absolutely critical for our success. Here I’ll explain why.
On its most basic level, a framework enables a variety of different platforms to plug in and interoperate. When it comes to building an identity ecosystem, a framework will serve as the glue that makes disparate identity systems and approaches work together.
In this society, we’re not going to reach the point of having one online identity that enables us to log us into every application we use. While this would make things easier for us as both consumers and professionals, there would be serious security and privacy concerns. If you had one ID for everything you do, then the organization providing you that ID would have all of your information in order to assert your identity with third party applications — including knowing everyone you interact with, how often, and for how long. To avoid a nationwide privacy crisis, an alternative approach has been developed: The identity ecosystem.
An identity ecosystem is an approach to online identity that allows internet users to form relationships with multiple organizations of their choice, called identity providers (IdP). These organizations will assert information about each user in order to connect them to apps and services. Because one person may have relationships with a variety of IdPs in the ecosystem — and share different information with each of them — there needs to be some way for organizations that rely on that data (known as relying parties) to understand the quality of the identity data they are given. This is why trust frameworks are required in an identity ecosystem in order to make it work. And defining common technical approaches to the implementation will enable the ecosystem to scale.
Here’s an example of how you may use different identities in different contexts. You’ve probably noticed you’re increasingly being offered the opportunity to use your Facebook account to log into applications on your mobile device. This makes sense as it’s more convenient for you as an individual, and the application owner only needs the data that Facebook can tell him about you. But when you log into a government website, you won’t be able to use your Facebook account to do that. The government website needs data from an organization that does a higher degree of identity proofing, or one it has a ‘deeper’ relationship with, like a bank. These types of scenarios are working today in some European countries – with financial institutions authenticating users for government websites.
As internet users, we need this work to be done in order to enable the organizations we interact with to share our identity data in a private and secure way. We cannot continue to maintain separate usernames and passwords for each of our online services– if not simply because it’s too unwieldy. For this to occur, the organizations that we interact with will need to be able to trust each other. This requires a framework that defines the different types of trust relationships that can occur between those organizations, and how they should be implemented, so that all stakeholders (users, IdPs, relying parties) can trust the integrity of the overall system.
And that is exactly what the IDESG aims to accomplish.