Andrew Nash
Despite what we may wish to implement in our identity architectures, large-scale identity deployments are driven by financial value. This session examines recent thinking on how identity attribute models are likely to be deployed, the values and roles of the various participants and the challenges of how value is distributed among the participants.
2. Things
don’t
get
simpler
…
• Iden:ty
is
no
longer
about
3
par:es
• A?ributes
are
as
interes:ng
as
iden:fiers
• Fresh
informa:on
is
a
business
driver
• Iden:ty
assurance
is
giving
way
to
a?ribute
confidence
• Consumer
IDPs
are
in
full
swing
• Useful
systems
can
be
built
without
being
the
account
owner
• Brand
recogni:on
is
as
important
as
trust
Internet
ID
is
not
just
about
anonymity
• Iden::es
and
a?ributes
are
a
mul:-‐
variable
calculus
UMA
Identity
Provider
Relying
Party
The 3-Party Model
User
4. Who
Adds
Value
&
What
is
it?
• Aggrega:on
of
service
capabili:es
tends
to
confuse
the
conversa:on
– Not
clear
that
*any*
provider
can
cover
all
aspects
• Authen:ca:on
services
don’t
provide
iden:ty
• IDP’s
may
provide
iden::es,
more
frequently
provide
iden:fiers
• IDPs
outside
of
enterprise
context
do
not
originate
iden:ty
a?ributes
– Not
authorita:ve(?)
¬
a
fresh
source
• Internet2
work
on
a?ribute
format
– Seman:cs
are
less
understood
5. Verified
Phone
#’s
• Any
may
be
“correct”
or
sufficient
• It
costs
more
to
do
“be?er”
• Most
of
these
may
be
devalued
by
so
mobile
providers
including
Twilio
Syntac'cally
Correct
Allocated
#
Response
Consistently
Asserted
Account
Holder
Name
Match
Posi've
Event
Temporal/
Spa'al
Correla'on
6. Authorita:ve
Sources
• Loca:on
– No
longer
the
purview
of
telcos
–
compliance
constraints
• Sources
of
a
“verified”
mobile
#
– OnTrac,
UPS,
FEDEX
enable
package
tracking
– Yelp
delivers
recommenda:ons
to
my
phone
– Not
:ed
to
an
“address”
– Usually
:ed
to
an
iden:fier
7. Fresh
Informa:on
Delivery
• When
is
fresh
informa:on
delivered?
• My
iden:ty
validated
and
an
iden:fier
issued
5
years
ago
– As
useful
as
a
birth
cer:ficate
– Not
appropriate
for
transac:onal
value
• What
channels
are
used
– IDPs
may
not
wish
to
be
in
the
informa:on
flow
– Fresh
data
criteria
may
be
different
to
session
limits
and
may
be
set
by
different
policy
domains
• AXN
A?ribute
Criteria
– Refresh
Rate
8. Deriving
A?ribute
Confidence
Data
Type
Metric
Availability/
Timing
Metric
Geographic
Coverage
Metric
Refresh
Rate
Metric
Authorita:ve
5
Real-‐:me
1
Global
3
Real-‐Time
5
Aggregated
4
Not
Real-‐:me
0
Na:onal
2
Daily
4
Direct
Captured
3
State/Provence
1
Weekly
3
Self
Asserted
2
N/A
0
Monthly
2
Derived
1
Annually
1
N/A
0
Never
0
This
is
a
derived
a+ribute
Verifica'on
Method
Metric
Level
of
Confidence
Metric
Coverage
Amount
Metric
Currency/
Refresh
Date
Verified
by
Issuer
4
High
3
Full
3
Actual
Date
Verified
by
3rd
Party
3
Med
2
Par:al
2
Out
of
Band
2
Low
1
Minimal
1
Not
Verified
1
None
0
N/A
0
N/A
0
LOC
(level
of
confidence)
=
fcn(Data
Type,
Verifica'on
Method,
Refresh
Rate,
Currency)
Pricing
=
fcn
(LOC,
Coverage,
AMribute
Type)
13. USER
RELYING
PARTY
If
I
had
more
:me,
I
would
have
wri?en
less…
14.
15. Direct
A?ribute
Associa:on
Attribute
Exchange
Attribute
Providers
Relying
Parties
Attributes
Direct to RP Model
16. Policy
based
Facilita:on
Attribute
Exchange
Attribute
Providers
Relying
Parties
Attributes
Control +
AccountingControl +
Accounting
Facilitated Direct to RP Model
17. Layered
Ecosystem
• Why
is
it
everyone
talks
about
authen:ca:on?
• Our
ubiquitous
biometrics
sign-‐in
apis
suppor:ng
mul:ple
biometrics
types
will
solve
all
your
problems
• I
have
TPMs
in
every
xyz
product
on
earth
–
I
should
be
in
the
Iden:ty
Business
• I
own
70%
of
the
PC
market
–
I
should
be
an
IDP
18. Abstract
Despite
what
we
may
wish
to
implement
in
our
iden:ty
architectures,
large-‐scale
iden:ty
deployments
are
driven
by
financial
value.
This
session
examines
recent
thinking
on
how
iden:ty
a?ribute
models
are
likely
to
be
deployed,
the
values
and
roles
of
the
various
par:cipants
and
the
challenges
of
how
value
is
distributed
among
the
par:cipants.