CNI Fall 2013 – Identity Update – Ken Klingenstein

Social Identity Update

  • Reaching saturation in the US
  • Focus of service to consumer continues on: Interest in connecing to federal services unclear – Google and others originally got certified for federal services, but now that it’s renewal time they haven’t shown up – maybe they don’t want to meet federal standards for privacy? T+C’s are critical to consumer as a service. 
  • Protocol evolution towards OpenID Connect continues. Getting almost as complex as SAML. IETF standards now almost done. Many but not all (e.g. Facebook) moving slowly towards standard. The value lies in Oauth for mobile app use. 
  • FIDO alliance (group of social auth providers) promoting multifactor authentication. Identiy proofing stays risk-based per Relying Party. Social identity providers don’t worry about whether it’s really you. The Google matrix uses over 100 factors to figure out whether it’s likely to be you.
  • The Yahoo email address persistence policy change opened eyes – they’ll recycle email addresses after six months of non-use. We don’t know if it’s the same person – the Feds had no influence in getting Yahoo to change policy. 
  • The NSA revelations are changing international marketplaces. The providers are scurrying to deal with the blowback. 

R&E federations world-wide

  • 100% coverage in Europe, in some cases to the entire population. You can’t get welfare money in Denmark unless you have a federation account.
  • InCommon today – 400+ universities, 600+ total participants. 6-7 million users. OCLC will roll out software next year with ShibIDP in it. 

US Government efforts

  • FICAM – classic identity services for government – slowly growing. Includes high assurance PIV cards and PKI, federated identity, etc. Provies the LOA certifications that motivate the InCommon assurance program, including Silver.
  • NSTIC – Aimed at Net Gen – services, privacy, etc. Has distinct governance and pilot efforts. Scoping is a finesse: affecting government identity. 
  • NSTIC Pilots – round 1. Five factor mobile authentication? Commercial, open-source ID verification network that allows multiple relying parties to verify a user’s identity by referring to the authoritative sources – allows bidding and better price points than the credit reporting companies provide. The pilot wants us to sell student data – we have the freshest possible data.Scalable privacy.
  • NSTIC Pilots – Round 2 have just been awarded. PRIVO – a minor’s trust framework: COPA compliance is important. Many other countries refer to COPA for reference. Latest revision is if you’re under 13 and you want to go to a chat room you have to have the option of releasing a non-personally identifiable identifier (e.g. display name). 
  • Scalable Privacy – Grant to Interne2/InCommon. Development partners are CMU, Brown, with others: Promoition of two factor authentication, Citizen-centric attribute activities, Trusted metadata approaches, next-generation privacy management. We are loathe to release attributes, but that presents problems with authn.
  • Coupling MFA and Federated identity is extremely powerful. Early interesting issues in MFA at scale: accessibility support, FERPA issues in the release of PII (e.g. cell number) to third party authenticator, Cloud authenticators and DDOS attacks, alternative strategies when multifactor tokens aren’t available, ROI of federated MFA.
  • Software deliverables: shib-based integrated MFA handler. 
  • GPII (Global Public Inclusive Infrastructure) – accessability done right. Automatic personalization of user interfaces and user context adaptation based on user preferences, across platforms. Schema standard is AccessForAll. Not only for those with physical disabilities, but moving into cognitive disabilities. Pilot applications, porofs of concepts beginning with user preferences stored and accessed securely in an online repository, which drive presentation features.

Privacy managers (Carnegie-Mellon University)

  • Consoles to help users manage the release of attributes
  • Key design considerations – hardest issue is informed consent. 
  • Starting a major engagement with a set of campuses on opportunities and issues for deployment at scale.

Trust frameworks


  • The steady state of federated identity is interfederated identity – need to cross countries and sectors. Doing technologies now to make this work. 


Converts social identitites into SAML assertions. Very handy for extended populations. Exposes many issues

Scholarly identity

  • Application categories
  • CILogineduPerson and ORCID

Collaboration platforms

  • It’s not about identity, it’s about access control. Leverage federated identity but with control of attributes. 

Takeaways – 

  • Moving the needle on MFA is really important.
  • Attributes are the key and it’s already a mess
  • Research what it take to put the “informed” into consent
  • Anonymous credentials are still immature and still the only answer to unobservability
  • SOcial identity has its virtues and its perils
  • Collaboration platforms are the access management part of IAM
  • The eventual steady state future is “interfederated identyti” and getting there will be fitful and indirect. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: