Get ready for Identity 3.0

Yahoo!'s recent announcement that it intends to support OpenID, allowing users to access multiple internet sites with their Yahoo! ID, is a big step forward for acceptance of OpenID. For users of many Web 2.0 sites this increased use of OpenID looks to bring increased convenience when logging in.

However, in spite of recent security improvements to the OpenID 2.0 specification, the standard will not assure security when logging into sites such as banking and e-commerce, as use of these security provisions is entirely optional on the part of those implementing the technology.

OpenID is certainly not the only authentication framework identified with Identity 2.0 (federated identity). SAML (Security Assertion Mark-up Language) has been available since November 2002 and has become the most widely deployed single sign-on solution for enterprise identity management. And, more recently, Windows CardSpace was introduced in April 2006.

While these solutions clearly represent an improvement over the previous use of non-federated usernames and passwords, none of these three options satisfactorily meets all users' needs and expectations for identity management. Also, it is clear that two-factor authentication, whether via tokens or biometrics, is not going to meet all user needs for a wide variety of online usage. No one wants to physically carry multiple tokens, and enterprises really don't want to manage the infrastructure and processes required for the issuance and use of tokens for large numbers of customers.

Even though we don't yet have a fully satisfactory solution to Identity 2.0, it is not too early to begin articulating requirements for Identity 3.0. In fact, unless we do so quickly, we are going to find the identity problem getting even worse. While the popular press has been focused on Web 2.0 sites such as Facebook and MySpace, nascent implementations of Web 3.0 are rapidly leaving labs and migrating into initial deployments. We're behind schedule on developing an Identity 3.0, and I'm not seeing a lot of work being done on this problem.

So, what are the possible requirements for Identity 3.0? There are three likely elements: first, there should be a complete separation of user-centric IDs and service (provider)-centric IDs. This would increase privacy for users and give them more control over their personal information. Second, there will probably be a need for some form of support for presence, for example inference from video cameras or RFIS sensors.

Finally, future identification models will probably have to support not only today's electronic identities, but virtual identities as well. We already have an announcement from IBM and Second-Life creators Linden Labs about their mutual collaboration on an open standard for "universal" avatars, where users could maintain the same name, appearance and other important attributes in multiple virtual worlds.

In his new book, The dotCrime Manifesto: How to Stop Internet Crime, Phillip Hallam-Baker articulates other requirements from which I picked out two really important ones. One is attribute-only authentication. This means that a specific attribute about an individual can be verified, but no other information that is not directly relevant to the action is disclosed. For example, if I can go into a bar to get a glass of wine, the bartender only needs to know that I am of legal drinking age - not my name, home address or any other information about me.

The other unlinkable identifier goes a step further. Not only would an individual not be forced to reveal any attribute not directly related to the action involved, but the identifier would have no means of linking the attribute authenticated with any other information about me. In other words, what's needed is a sophisticated scheme that simultaneously provides strong authentication and complete anonymity. Current Identity 2.0 models do not support this requirement - which is the reason for the many privacy concerns we have with digital identities.

- Tim Mather is chief security strategist for RSA Conferences.