Identity Assurance Means Never Having To Say “Who Are You, Again?”
A decade after launching the SAML standard and seeing its, shall we say, stately pace of adoption, it’s wild to see real single sign-on and federated attribute sharing starting to take off for social networking, retail sites, online gaming, and more — not to mention seeing the US government starting to consume private-sector identities on citizen-facing websites.
Last week, we published a report on Outsourcing Identity Assurance. In it, I examine this “Government 2.0” effort, including the National Strategy for Trusted Identities in Cyberspace (NSTIC), and its innovations around identity assurance, and the confidence you can have in the real-world verification of the identity you’ve been given by an identity provider. We’re predicting you’ll see new Web 2.0-ish ways to outsource identity verification in the coming three years, driven by use cases like e-prescribing, high-value eCommerce, and even online dating.
But perhaps the US government’s four convenient “levels of assurance” (LOAs), which tie strong authentication to strong identity proofing, don’t apply to every use case under the sun. On the recent teleconference where I discussed these findings, we ended up looking at the example of World of Warcraft, which offers strong authentication but had to back off strong proofing. And over the weekend, I had a great back-and-forth with Stephen Wilson and others in the Twittersphere over the applicability of LOAs to financial Know Your Customer programs.
What do you think? Would it be helpful for you to “pick a level” if you outsourced authentication to a third-party identity provider, or would your use cases fall through the cracks?