Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Multiple authentication
(2007/2/2)
Mike Neuenschwander, Vice President and Research Director of the Burton Group wrote late last month on a Law of Relational Risk, which followed on his post last year on the Law of Relational Symmetry.
One point which Mr. Neuenschwander makes near the end of this most recent blog post is that these principles "also suggest that single sign-on (SSO) efforts are often misguided". Specifically, he writes that
"In the interest of promoting relational continuity, the more authenticated connections the better - particularly if the user can parlay these authentications into improved reputation.
Recognition of participants based on multiple channels of connectivity would be the method for improving identity assurance rather than on a single login event."
I don't think Mr. Neuenschwander is bashing enterprise SSO projects as a category, since organizations are deploying enterprise SSO for reasons beyond merely risk management. Rather, this SSO reference probably falls more against the "user-centric" identity systems, such as OpenID, that are intended to reduce the number of stub accounts that a user must maintain at various web sites.
Both OpenId and CardSpace enable a web site, the relying party (RP), to transfer some of the account management aspects to an identity provider (OP in OpenID, IdP in CardSpace). Conceptually, a user could find one OP/IdP, perhaps Google or Yahoo, that would be acceptable to all their RPs, and after logging into their IdP account, would not need to provide a username/password login at each of the RPs.
By "more authenticated connections", mere username/password authentication to many different sites is probably not sufficient, as users might have similar usernames and possibly identical passwords at their sites. An attacker who has compromised a user's account on one site might then try those same credentials on other sites.
Two conceptual approaches can proceed from here. One is the "multiple channels of connectivity". For example, a user logging into one IdP service with a web browser via a computer attached to a traditional cable or DSL link, and logging into another IdP service with a mobile phone via a wireless network connection. Each service can determine the network address of the requesting user, and an approximate location. A third service that can determine whether these two network locations are the same gets a better sense that the user is in that location.
Another is the historical information contained in the relationship between the user and each service. A bank teller might ask, for example, "what is your most common withdrawal amount?" as a means of determining that a requester is indeed the user. The identity assurance is formed by the state exchange that is built up over time. A user with multiple accounts may have multiple assurance statements from each of these IdPs.
Now for any of this to work, the relying parties need to trust the IdPs. If the RP doesn't trust one IdP, then the best that the RP can assume is that the user is just some arbitrary Internet user, and that user's identity representation can't be associated to any other representation. In this scenario, the RP also needs to join the user's identity representations across each IdP, and have confidence that the representations are equatable. This will be challenging, as IdPs may not be able to make statements about identity representations held in other IdPs.