Letting Users Manage Their Online Identities

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

With the federal government piloting the use of third-party credentials to authenticate users at three websites, a basic question that needs to be addressed is the role of government should play to assure the issuers of the credentials - picked by citizens themselves - are providing legitimate services as promised.

"Users have a heightened expectation of privacy when they interact with the government online," Heather West, a policy analyst at the advocacy group Center for Democracy and Technology, said in an interview with GovInfoSecurity.com (transcript below). "The federal government has a history of privacy protective regulations online that keep them from collecting data about the people who frequent their websites and there is no reason that these new technologies should change that expectation of privacy. So it is very important that they build privacy into the final tools."

So, should third-party credentialing companies be regulated to assure proper privacy is built into those tools? Perhaps not, West says: "One of the problems with regulating this kind of interaction is that the technology changes so quickly."

In an interview with GovInfoSecurity.com, West explains:

• How user-centric identity works.
• Who are the major players.
• Why the government should not regulate user-centric identity.

West was interviewed by Eric Chabrow, managing editor of GovInfoSecurity.com.

ERIC CHABROW: What is a user-centric identity management system and how does it differ from conventional ways to identify individuals?

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

HEATHER WEST: Most of us are fairly familiar with offline identity; it's things like handing over your driver's license to show that you are in fact permitted to drive or permitted to buy something in a store. That is me saying, "I am Heather West. I can drive; the state told me so." But online, it is a lot harder to make that kind of assertion around your identity and typically it ends up being something like, "I am Mickey Mouse 33. You know me." But those identity systems are very rarely as protective of privacy and of user information as they could be.

We tend to prefer user-centric identity systems. They are user centric in that the user is at the center of the interaction and chooses where the information is sent and what information is used to identify them. It is also sometimes called directed identity.

So for instance, if I go to a website say, www.nih.gov, and one of these pilots and they ask me to sign in, I can choose an identity provider that I already have an existing relationship with and who already knows who I am and ask them to go ahead and tell NIH who I am, or simply that I have been there before and I have a certain set of preferences.

CHABROW: What is or who is an identity provider?

WEST: They are the people that handle my information in this case. They assert my identity on my behalf. That identity is really just some set of information, whether it is my name or my email address, or simply my favorite bookmarks or what state I live in, or who I work for. All are very useful claims about myself when I can assert them to a website in some authenticable way. And so that identity provider manages that information for me so that I don't have to go prove to each website who I am, what I do, where I live, that kind of thing.

CHABROW: And what are the advantages of this way of authenticating users?

WEST: There are a lot of advantages for everyone involved really. I as a user don't have to create new usernames and passwords for every website I go to. For example, if I wanted to go to a website online that I knew I was only going to go to once it is not worth setting up a profile for myself to say, you know here's my name, here's my address. Say it is for me ordering something online and they need to know my shipping address, everyone is familiar with going through all of these online forms and instead I could ask my identity provider to provide that information to the site if I trust my identity provider and I trust that site. So it is easier for the user.

It is also going to be easier for the sites that accept that authentication because they don't have to develop their own in house authentication systems and safeguard my data.

CHABROW: Do such identity providers exist already, or?

WEST: Oh yes. Believe it or not, millions and millions of people have these identities from identity providers. People like PayPal or Google or Facebook or LiveJournal, it is only a small, small fraction of those people using those identities across the web though.

CHABROW: Are you saying that PayPal, Google, Facebook are these identity providers or are they using?