Yahoo just got a lot more interesting to me. Not because of any new application or content strategy, and only peripherally due to their recent federation announcement. No, it is because of what their recent announcement is signaling about their realization of what they have given away, and what they are willing to do to get it back. Let me explain.
Amidst the brilliantly managed and orchestrated global symphony performance that was the OpenID Connect launch, there was a discordant note from Yahoo, an OpenID Foundation corporate board member, when it announced that it would no longer be a Google or facebook relying party. I am sure that the awkwardness of the timing of the announcement was unintentional, but what it signifies about Yahoo is very interesting.
In a previous blog post, I had written about platforms in a multi-sided market, and used Google as an example (just as applicable to facebook and others) of how the Google platform is put together in order to drive consumers across their properties while packaging their targeted knowledge of the consumer to earn revenue from advertisers.
The starting point to make this happen effectively in a seamless and joined-up way across multiple channels is predicated on "owning the identity/user/account/consumer". This was the critical piece that Yahoo was giving up to Google and facebook when it allowed their users to log in to Yahoo using their existing credentials. No more!
What this signifies to me is two things:
- Yahoo leadership is willing to let go of the past and make the tough calls needed for success. Very Drucker-ish
- Yahoo is building out their platform strategy and are executing on the critical role that identity plays in that strategy's success
I am simultaneously impressed and disappointed. Impressed as to the leadership being demonstrated to pivot the strategic direction of an internet-scale company. Disappointed that Yahoo, one of the early giants of the internet, is becoming just one more company that will collect, process, slice and dice our behavior to sell that information to the highest bidder.
In the comments of my previous blog post on fraudulent account activity signaling, Steve Howard pointed to NISTIR 7817: A Credential Reliability and Revocation Model for Federated Identities (PDF) by Hilde Ferraiolo as being relevant to the discussion. It is, and I was rather mortified to realize that it had slipped my mind. So this blog post provides a short synopsis of that work as it applies to fraudulent activity monitoring in federated identity implementations.
To keep it relevant, let me focus on what the report calls the Three Party Model (Credential Holder, Identity Provider and Service Provider) and the Four Party Model (Credential Holder, Identity Provider, Attribute Provider and Service Provider). I would encourage you to read the overview which outlines the various models in which actors in an authentication and attribute validation scenario can come together.
Really liked the emphasis on this bit:
Evidence of malicious activity at the service provider is not generally shared with the identity provider. This situation is unfortunate, as the service provider is at the forefront of attacks. It has all audit trails and knowledge of suspicious or malicious account activities [...] Service provider feedback is especially useful and indicative in the federation since the feedback is likely reported by several service providers in the federation, thus providing strong evidence of credential compromise.
NISTIR 7817: A Credential Reliability and Revocation Model for Federated Identities
- The introduction is a setup for describing what the report called a Uniform Reliability and Revocation Service (URRS) which "... provides revocation status information to and from identity providers, service providers, attribute providers, and users"
- A role for a credential holder to inform the URRS about a credential compromise
- The concept of a 'Reliability Score' that can be updated by a SP and can be used by other SPs or Identity Providers to make a risk based decision on future action
- Discussion about how privacy enhancing technologies such as selective disclosure schemes and anonymous credentials could play in this model
The report, very similar to the shared signals report, requires a trusted service that interacts with both Identity Providers and Service Providers with all the associated non-technical challenges it implies.
I found the focus on credential revocation checking and status notification (Revoked, Suspended, Active) via the URRS a bit baffling since in a 3 party or 4 party model, when a credential is revoked or suspended by an Identity Provider, it is not usable in a federation scheme. At the same time, I found much value in the concept of a shared 'Reliability Score' that shows decreased reliability with each negative feedback from the SPs and serves as input into a risk-based decision by the SPs to determine the suitability of a presented credential in an authentication event.
My sense is that there are points from both this report and the shared signals paper that are complementary, and could be the core of a shared fraud analytics platform service.
And since I am, at least on a thought exercise level, expending some energy on this and since any seemingly valuable effort/task/time-wasting-exercise requires a good acronym, I hereby name this particular windmill that I am tilting at the Federation-wide Reliable Account Usage Data (FRAUD) Service.
Given that identity is the starting point for delivering high value public services, benefits and entitlements, I've written about my belief that the U.S. Financial Sector is well positioned to be the natural source of high assurance credentials. This blog post lays out my understanding of why this is important, and my admittedly incomplete thoughts on what needs to be addressed to get the Financial Institutions (FIs) to the table.
The typical conversations on this topic tends to revolve around Credential Service Providers (CSPs) and Relying Parties (RPs). But that focus is minimizing the most important stakeholder; the individual who needs to be convinced to use the service.
When you put the individual first, the clear lesson to be learned is that changing existing behavior is hard and aligning User Experience (UX) with customer expectations, while providing fit for purpose security and privacy, is critical to success. So my focus on FIs is as much about leveraging their existing relationship with an individual, as it is about their identity verification and validation capabilities.
Moving on, my sense of why the U.S. FIs are not currently in the game comes down their:
- Regulatory Concerns;
- Liability Concerns and;
- Need for a Viable Business Model.
This will require finding the right people who are not suffering from a lack of imagination. Not easy, but doable.
I remember having a conversation with a lawyer who spends a lot of time in the world of contract law. A comment that struck me was (I am paraphrasing) “There are two types of lawyers; those who are trial lawyers and those who are not. Trial lawyers understand that liability is real, is not unbounded, is not to be feared, and can be dealt with. Those who are not, look for all the ways things could go wrong, and never move beyond increasingly improbable what-if scenarios.”
A bit brutal perhaps, but my sense is that this is an addressable concern if we can ask the right questions, and get the right expertise to bear on answering them. There are also working examples of how this has been addressed in other jurisdictions that can inform us.
Need for a Viable Business Model
This is the piece that I find extremely fascinating because I believe it to be the most important. Being a non-FI person and not all that knowledgeable about that world, I am going back to first principles that if there is a problem someone is seeking to solve, and you can help with that, there is a conversation to be had about the value that can be exchanged.
So, I looked at the Financial Services Sector Coordinating Council's (FSSCC) Research Agenda for the Banking and Finance Sector (PDF) to understand the problems as they see it. And I came across this:
Issue: Our current Identity assurance processes strength is eroding at a number of levels. It is becoming increasingly difficult to correctly and uniquely identify a new customer at enrollment/on-boarding with the level of assurance commensurate with the risk
FSSCC: Research Agenda for the Banking and Finance Sector
Research Area: Establishing confidence in identities of persons, corporations and other entities, at the time of userid creation or service enrollment, including collection of information which will assist in strong identity verification in future interactions, and in the re-establishment of lost or stolen
I have some ideas around how to help with this that are still in the early stages. I am looking forward to having some good discussions to get feedback from smart people in both the public and the private sector.
I believe that that there is a role for the public sector in the establishment of identity. Depending on the audience, that statement is sometimes mistaken as support for a single public sector issued credential. Ah... No! This blog post provides some foundational terminology and raises some concerns regarding the outsourcing of identity establishment.
From both a philosophical and practical perspective, I am not a fan of the "One ring to bind them all" approach to credentials, whether the ring was created by a government or by a private sector entity.
But in order to have a productive discussion on this topic, first and foremost, we need to understand that identities and credentials are not the same. Secondly, given the pervasive conflation of terms such as "credentialing", "proofing", "enrollment" and the like, we need some foundational terminology in place.
- A set of attributes that uniquely describe an individual within a given context
- Identity Establishment
- Creation of a new identity, in an authoritative source, where none has existed previously
- Identity Verification
- Confirmation that the identity relates to a specific individual
- Identity Validation
- Confirmation of the accuracy of the identity as established by an authoritative source
There are very few entities (and they are all typically in the public sector) that are in the "Identity Establishment" business and "own" the authoritative sources; Vital records agencies, agencies that deal with immigration etc.
The concern that I have is that relying parties inside and outside government, in the absence of access (with consent) to these public sector authoritative sources, have started (at least in the U.S.) to rely on secondary transactional/financial/social data sources for identity validation. All too often they, mistakenly, tend to consider these sources to be authoritative.
This has resulted in a situation in the online world where we have for all intents and purposes outsourced a core function of the public sector, which is to vouch for us when we are asked the question "Who are you?", to private sector entities who do not work on our behalf, do not need our consent, and are motivated purely by the desire to monetize the information they can acquire and hold about us. This is A Bad Thing!
An operational concern often voiced by public sector RPs relying on an external CSP authentication service is account take over fraud. This becomes even more interesting when the CSP is integrated with a broker architecture that allows a single account to be used at multiple RPs. This blog post looks at some of the current thinking around how this type of fraud could be mitigated.
Some time ago I had the opportunity to chat about this with Andrew Nash, who has been in the trenches on this topic. Recent circumstances motivated me to re-read a white paper he wrote for OIX on this topic called "The Shared Signals Model (PDF)". It provides a good overview of the issue and outlines one way of addressing it.
Fraudulent takeover of Consumer accounts and subsequent misuse is a significant problem that occurs daily at Identity Providers [...] The Shared Signals model describes a new collaborative system that enables intelligence sharing between Account Managers (e.g. Identity Providers) to reduce the impact of fraud and account theft on Identity Providers and consumers. Intelligence sharing is limited to event evaluation and information signaling at an account management level and does not require insight into user level transactions.
OIX White Paper: The Shared Signals Model
- Really like the use of the term "Account Manager" to describe the operational entity that owns and manages Consumer accounts rather the overloaded term Identity Provider. Within the context of the paper, all Identity Providers are Account Managers, but not all Account Managers are Identity Providers;
- The paper seems to be written for the CSP/IdP community, which is understandable since the good ones out there do implement some manner of continuous identity verification which is typically the source of the event that needs to be signaled, which in turn leads to;
- Not much of a focus on the value-add for RPs;
At the end of it, the approach requires a bunch of highly competitive entities (CSPs/IdPs) to get together and invest in a trusted third party that can serve as the neutral clearing house for sharing fraudulent activity information between them. A valuable service, no doubt, but not an easy one from a legal, compliance, policy and privacy perspective.
I agree with Andrew that "A gestalt perspective, derived from multiple view points based on sharing signals about account use and misuse, creates a much more powerful set of insights". But in the absence of such an perspective, implementing a fraud signaling capability within the confines of a particular community of interest that has adopted a broker/proxy model for authentication may be a good starting point.
In this model, the broker acts as the "Signal Manager" for the community and the existing relationships between the entities are leveraged in order to enable this capability. One of the primary differences is that the RPs in this case are full participants in the signaling. Some points to note with the two variations above:
- The “stop everything” threshold of the CSP may be higher than that of an RP (after all public sector organizations are notoriously risk averse), so having the ability to signal the RP and have it make the risk based decision to not authorize access to some or all of the application functionality would come into play here (Pic on left)
- It is very feasible that the fraudulent activity is actually detected by the RP and it initiates the signal to the broker which, using a double-blind mechanism, could notify the other RPs that are connected to it. (Pic on right)
Interested in hearing about the viability of such a mechanism, and how this could potentially be done using standards based approaches.
It is 3:30 in the morning and I am finally on the ground in Kochi, India after more than 17 hours of flight time. I turn on my mobile phone to let my family know I have arrived in-country and I get ... nothing. Not a good start, and it turned out to be a warning indicator of the trials and tribulations to follow in obtaining a mobile internet connection.
The plan, as I imagined it would happen, was simple. Visit Mom, take a smart phone and get it connected, use it for myself while in India, and leave it with her so that she could email the grand-kids, and allow us to have regular Google Hangout's with both her and the other Grandma in Canada. In preparation for that, I bought her a new, unlocked, international GSM capable, Motorola G. A really solid and basic smart phone that got updated to Android KitKat right after I got it.
Oh, the hubris associated with first world expectations!
The travel blogs had warned me about the gyrations international visitors had to go through in India to get a local SIM card and I wanted to avoid that if possible. I had heard about a company called GigSky that was addressing this problem and obtained a SIM card from them and, via their service, pre-paid for a data plan with an Indian telco called Aircel. That was the option that became an immediate non-starter as soon as I landed.
To close out that particular thread, I contacted GigSky after I got back. Their customer service, from their CEO on down, has been outstanding. They immediately refunded me for the plan and also took the time to get details about the issue and informed me of the steps they are currently taking to resolve issues such as this. So even though their service did not work for me, I am left with a positive impression and wish them much success.
That was the start of my odyssey of trying to obtain a local data capable SIM card. Since I was planning on leaving the phone with Mom, we decided early on to get the SIM card in her name.
Day 1: Family recommends BSNL as the carrier. Called local store to verify they are open before making trip. Get there after 30 minutes of heavy traffic. They are open but won't do business since they are painting the store! Check available network carriers on phone and don't see BSNL as provider, so think that may have been a blessing in disguise. (I don't realize until coming back to the US and doing a bit of browsing around that the available "CellOne" provider is actually BSNL)
Day 2: I see Reliance Communications (A big brand in India) as an available carrier, and fight 30 minutes of heavy traffic to get to the the Reliance Store in Kanjikuzhy, Kottayam, Kerala. At which time, the sales people are extremely reluctant to sell us a SIM card to the tune of recommending we try competing providers. We try some of the competitors, who inform us that they only have regular size SIM cards and do not have a micro-SIM card which is needed by the Moto G. Time and patience are wearing thin.
We end up coming back to Reliance and convince them to provide us a SIM card. At which point we are informed that, they don't really have a micro-SIM card, but if we buy the regular SIM we can take it to a little hole in the wall store down the street, and they can "cut" the regular SIM to micro-SIM size! Hoping for the best, we put down some money which we are assured will be put into the pre-paid account as soon as the line is activated, and walk to the nearby store where a successful "SIM cutting" takes place.
Day 3: Get a SMS notification that the SIM has been activated and assigned a phone number. But no data or voice access. Another 30 minutes of heavy traffic fighting to end up back at the Reliance store. I am assured that the pre-paid amount I had left when I picked up the SIM card will soon be activated on the account. I still have faith in human nature, so I believe them.
Day 4: No connection. Another trip to the Reliance store where they cannot find any record of the money we had left with them to put in the account. Holding my breath, I pay some more money to put in the account and this time wait in the store and stare at them until I get a SMS notification that the money was put into the account. My internal dialog about the trustworthiness of the store personnel is not pleasant. But at this point, I simply want things to work, and am not interested in having an unproductive fight.
Day 5: I have connectivity. As in GPRS speeds. Sending e-mail and browsing brings back memories of my dial-up days with my U.S. Robotics modem. My wife makes the mistake of forwarding a Christmas pic to me to show Mom. It takes 30 minutes to download to the phone. My son's comment "Dad, you are at least two G's behind!" rings in my ear.
Day 7: I have had intermittent connectivity for a while and even posted a pic while having afternoon tea. But today I wake up to the message that the account has been blocked and to call the customer service number. I have no voice or data access. I call Reliance customer service on a land line, and am informed there is "some problem" with the ID that was submitted to open the account. No further details. Can't be resolved remotely. Go in to the store. Yes, the same store.
My Mom, after seeing my issues with the phone and data access, wants nothing to do with the smart phone! Can't blame her.
I am done, and decide to live off the grid! Best. Decision. Ever. (See pics on this blog post)
Final Note: One of my first actions after coming back to the U.S. has been to break my Verizon mobile phone contract and get a new contract-free phone with T-Mobile. Motivation? T-Mobile has free international data roaming included as part of their plan, and they will pay the Verizon early termination fees to break the contract. I refuse to go through this nonsense ever again!