For this blog post, my last one for this year, I went back and ran the analytics on which of my posts from 2013 you, dear reader, found interesting. Here are the top ten, in the order they were written. Thank you for your continued readership and comments, and I wish you and yours the best in the upcoming year!
A Model for Separating Token and Attribute Manager Functions - Some time ago I attended an event at which some members of the Kantara Initiative Identity Assurance Working Group presented "an approach to separating credential provision functions from identity attribute functions". I've given this a bit of thought and, using their work as a starting point, modified it to incorporate terminology consistent with the NIST Electronic Authentication Guideline (SP 800-63-1)
Can NIST E-Authentication Guideline SP 800-63-1 Support a Token-Attribute Separation Model? - In "A model for separating token and attribute manager functions", I provided some examples of how that model could be mapped to instances of current online application architectures. In this blog post, I would like to explore if the components used to calculate authentication assurance levels in NIST SP 800-63-1 can be mapped into the model.
These Are Not The LOAs (1+,2+,3+) You Are Looking For. Move Along - Requiring assurance commensurate with application or transaction risk has been a fundamental tenet when it comes to Levels of Assurance. In this blog post, I look at options to consider when there is a mismatch between assurance(s) available from token/identity/credential providers and the assurance needed by a relying party.
FFIEC and NIST Authentication Guidance. Does a Token Venn Diagram Exist? - The two sets of authentication guidance created by the US Government that are widely used in the private sector are the Federal Financial Institutions Examination Council (FFIEC) authentication guidance to financial institutions, and the NIST Electronic Authentication Guideline. This blog post takes a look at a sub-set of the guidance that is focused on what each deems acceptable for authentication controls and tokens.
Will Consumer IdPs Become the Maginot Line of Federated Identity? - I've recently been thinking about risk management and compensating controls as it applies to the delivery of online services that require higher assurances of identity. One item that regularly comes up in this area is the existence of entities that are conducting sensitive (financial or otherwise) transactions using nothing more than a userid and password.
HOW TO Visualize Access Control Use Cases - Identity, authentication, attribute management and authorization domain experts tend to seek clear distinctions between each of those facets. The operational folks who actually deal with these issues often blur the boundaries between them. This blog post shows an example of laying out access control use cases from an operational perspective that I found rather educational.
Identity Establishment and the Role of the Public Sector - Identity is the starting point in the delivery of high value services, benefits and entitlements. As such, the initial establishment of identity by an authoritative party is the foundation upon which other services are built. This blog post looks at some of the public sector entities that perform this function and see how they operate in the online world.
If You Don't Plan For User Enrollment Now, You'll Hate Federation Later. Redux. - User enrollment (a.k.a. user activation, first time user provisioning, first time account mapping) into a Relying Party (RP) application is the critical first step in making identity federation work. I've found this particular topic to be one that is ripe for confusion and conflation driven by the needs and motivations of both RPs and Credential Service Providers (CSP). This blog post provides some thoughts and perspectives on this critical process within the context of public sector services that require higher assurances of identity.
Local Credentials and Life in the Federation Glass House - I've been a long time proponent of the value of identity federation. But when faced with a choice of using a federated credential or creating a local credential, in the vast majority of cases, I have chosen the latter. This blog post is an analysis of that behavior and its implications for (my) adoption of federated credentials.
Does Public Sector Identity Federation have a Compelling Gain-to-Pain Ratio? - The adoption of higher assurance federated credentials by Users and Public Sector Service Providers (RPs) require that there be value in using them for both parties. This blog post provides some thoughts from the user's perspective in utilizing federated credentials.
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.