Anil John
Making Digital Services Secure and Trustworthy

Anil John

The Missing Link Between Tokens and Identity

 Tweet  Share  Share  Comment  Print  Email

Component identity services, where specialists deliver services based on their expertise, is a reality in the current marketplace. At the same time, the current conversations on this topic seem to focus on the technical bits-n-bytes and not on responsibilities. This blog post is an attempt to take a step back and look at this topic through the lens of accountability.

Login (Token) Management is a topic that is pretty well understood and to a great extent standardized. Yes, there will always be new token types coming into the market, but the process for evaluating them is in place. There is also increasing clarity around the identity management piece, and while there are many more moving pieces there, that piece is also maturing nicely.

What I find missing, or in the hand-waving phase, is the conversation around link management which I consider to be critically important in making the use of component identity services successful.

Link management, at a high level, covers two things:

  1. The strength and rigor of the process used to link (a.k.a. bind) the token(s) to an identity
  2. The strength and rigor of the process used to ensure that the token holder and the person who was identity proofed are the same person

At the end of the road, the RP is out-sourcing one or more management functions to another entity and holding it accountable to fulfill them in a manner the RP finds acceptable. As such, looking at the the various out-sourcing options through an accountability lens may be helpful in jump-starting the discussion.

Out-Sourcing Option 1:

ConfigurationAccountability Considerations
  • Token, Identity & Link Management under the control of a single external (to RP) entity
  • From an implementation perspective, the Login (Token) Manager or the Identity Manager may be in charge of the Link Management function but there is single unified face presented to the RP
  • The classic Credential Service Provider (CSP) configuration
  • Accountability for ensuring that the assertion of identity to a specific and mutually agreed upon degree of confidence resides with the single external entity

Out-Sourcing Option 2A:

ConfigurationAccountability Considerations
  • RP outsources Login (Token) Management functions
  • RP keeps in-house the Identity Management and Link Management Responsibilities
  • Token Manager is accountable for ensuring that it is the same person across multiple sessions to a mutually agreed upon degree of confidence
  • RP is accountable for identity management functions and ensuring the linking of that identity to the outsourced token and ensuring that the person that the token was issued to is the person it identity proofed
  • The interface and/or processes exposed to the RP in order to ensure link management is NOT standardized or consistent at the present time

Out-Sourcing Option 2B:

ConfigurationAccountability Considerations
  • RP outsources Identity Management functions
  • RP keeps in house Login (Token) Management and Link Management Responsibilities
  • Identity Manager is accountable for resolution, validation and verification and for providing attributes needed for enrollment of a person to the RP
  • RP is accountable for token management functions and ensuring that the person it issued the token to is the person that was identity proofed by the out-sourced Identity Manager
  • The interface and/or processes exposed to the RP in order to ensure link management is NOT standardized or consistent at the present time

For all of the ambiguities around link management, the above three configurations are very much in play right now. That does not hold true to the following two options; cue excitement!

Out-Sourcing Option 3:

ConfigurationAccountability Considerations
  • Login (Token) Management, Identity Management and Link Management are done by three distinct entities
  • The Link Manager may aggregate the services of multiple Token Managers and/or Multiple Identity Managers
  • Is the Link Manager accountable for all three functions?
  • If multiple Login (Token) Managers or Identity Managers are being aggregated, are each of them consistent in the functions it is fulfilling?
  • When something goes wrong with the Token Management or Identity Management functions, is the Link Manager the point of accountability or is it a pass through?

Out-Sourcing Option 4:

ConfigurationAccountability Considerations
  • Login (Token) Management, Identity Management and Link Management are done by three distinct entities
  • The Link Manager may aggregate the services of multiple Token Managers and/or Multiple Identity Managers
  • The Link Manager may offer value added services to the mix. e.g. Multi-Factor Authentication, Fall-back in-person identity proofing, fraud analytics, device binding etc.
  • Is the Link Manager accountable for all the functions it is fronting or is it acting as a pass through?
  • If multiple Login (Token) Managers or Identity Managers are being aggregated, are each of them consistent in the functions it is fulfilling?

I tend to watch and listen, with an occasional sense of bemusement, the tit-for-tat conversations around certifications and trust-marks and self-attestations. At the end of the road, for certifications or self-attestations to have any value, it needs to be a proxy for allocation of responsibility and accountability when things go wrong. As such, looking at out-sourcing component identity services through an accountability lens may be the most effective way to get from point A to B.

Question: What value-added services can you see being offered by a Link Manager at higher levels of assurance?

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone