In the comments of my previous blog post on fraudulent account activity signaling, Steve Howard pointed to NISTIR 7817: A Credential Reliability and Revocation Model for Federated Identities (PDF) by Hilde Ferraiolo as being relevant to the discussion. It is, and I was rather mortified to realize that it had slipped my mind. So this blog post provides a short synopsis of that work as it applies to fraudulent activity monitoring in federated identity implementations.
To keep it relevant, let me focus on what the report calls the Three Party Model (Credential Holder, Identity Provider and Service Provider) and the Four Party Model (Credential Holder, Identity Provider, Attribute Provider and Service Provider). I would encourage you to read the overview which outlines the various models in which actors in an authentication and attribute validation scenario can come together.
Really liked the emphasis on this bit:
Evidence of malicious activity at the service provider is not generally shared with the identity provider. This situation is unfortunate, as the service provider is at the forefront of attacks. It has all audit trails and knowledge of suspicious or malicious account activities [...] Service provider feedback is especially useful and indicative in the federation since the feedback is likely reported by several service providers in the federation, thus providing strong evidence of credential compromise.NISTIR 7817: A Credential Reliability and Revocation Model for Federated Identities
- The introduction is a setup for describing what the report called a Uniform Reliability and Revocation Service (URRS) which "... provides revocation status information to and from identity providers, service providers, attribute providers, and users"
- A role for a credential holder to inform the URRS about a credential compromise
- The concept of a 'Reliability Score' that can be updated by a SP and can be used by other SPs or Identity Providers to make a risk based decision on future action
- Discussion about how privacy enhancing technologies such as selective disclosure schemes and anonymous credentials could play in this model
The report, very similar to the shared signals report, requires a trusted service that interacts with both Identity Providers and Service Providers with all the associated non-technical challenges it implies.
I found the focus on credential revocation checking and status notification (Revoked, Suspended, Active) via the URRS a bit baffling since in a 3 party or 4 party model, when a credential is revoked or suspended by an Identity Provider, it is not usable in a federation scheme. At the same time, I found much value in the concept of a shared 'Reliability Score' that shows decreased reliability with each negative feedback from the SPs and serves as input into a risk-based decision by the SPs to determine the suitability of a presented credential in an authentication event.
My sense is that there are points from both this report and the shared signals paper that are complementary, and could be the core of a shared fraud analytics platform service.
And since I am, at least on a thought exercise level, expending some energy on this and since any seemingly valuable effort/task/time-wasting-exercise requires a good acronym, I hereby name this particular windmill that I am tilting at the Federation-wide Reliable Account Usage Data (FRAUD) Service.
- NISTIR 7817: A Credential Reliability and Revocation Model for Federated Identities (PDF)
- Fraudulent Account Activity Signaling in Broker/Proxy Models
- What Capabilities are Enabled by Public Sector Federated Identity Platforms?
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.