Deal Book

2016 in review: Standards and interoperability needed, but slow to take root

December 16, 2016

In the identity space, 2016 was a year of unprecedented activity. As we look back on the year that was, One World Identity spotlights three macro trends that have emerged. Our first post discussed the identity evolution, and today we delve into the need for standards and interoperability.

Sometimes, it feels like identity is where email was in the 1960s. Back then, e-mail was a way to leave electronic messages on a user’s file directory. It could be used within organizations on the same mainframe computer, but sending e-mails across the network didn’t happen until 1971. It took another couple of decades to implement standards governing message formats, attachments, and the other building blocks of the modern e-mail solution we take for granted today.

Today, we have many islands and silos of identity; interoperable with themselves and possibly only their closest neighbors. An average consumer in a developed country may maintain relationships with over 200 organizations, each storing that consumer’s data and identity in a silo. While users may be able to use a federated login such as a Google or Facebook account for authentication to another  website, they generally have to recreate identity attributes such as address, date of birth and so on.

This is also true in the physical world. For example, eu-LISA (the European Agency for the operational management of large-scale IT system) cites the lack of standards and interoperability between different biometric devices and vendors as a strategic challenge for implementing smart border solutions to facilitate border crossings within the EU.Krum Garkov (Executive Director, eu-LISA). Smart borders – shaping the future of border management in EU. Trustech December 2016. In other words, a fingerprint scanning device from vendor X implemented by a port in Portugal is not inherently interoperable with a scanning device from vendor Y used at an airport in Poland;the fingerprints of the same traveler going through both may not easily be reconciled into one record.

Standard setting is certainly happening, but it is slow to take root. This summer, the National Institute of Standards and Technology (NIST), a U.S. government standard setting organization, issued guidance urging organizations to deprecate the use of SMS for second factor authentication or one-time passwords because of security vulnerabilities. Unfortunately, researchers in both academic and commercial institutions had been warning about these very SMS vulnerabilities for the better part of a decade. Nevertheless, the NIST announcement generated a lot of buzz and concern; NIST even issued a clarifying blog post to calm fears and clarify the guidance. However, the U.S. Social Security Administration didn’t seem to get the memo, launching a mandatory SMS based second factor authentication for online users just days after the NIST announcement.The solution has since been rolled back, not because of concerns of SMS vulnerability, but because “citizens raised concerns to SSA and the OIG about aged and disabled beneficiaries’ abilities to comply with this mandate.”

A personal favorite involves a [failed] attempt at using an enhanced driver’s license to cross the U.S.-Canada border. The enhanced driver’s license is meant to replace a passport when using a land crossing between Canada and the U.S. Unfortunately, most border officials are still unaware that this is now the case. So much so, that the Washington State Department of Licensing has posted this helpful hint to travelers on their website: “The EDL/EID is a new border crossing document and some border agents may be unaware it is acceptable identification. To help eliminate any confusion, we recommend you take with you the sheet from U.S. Customs and Border Protection that lists the EDL/EID as “an acceptable border crossing document.” If we still struggle with interoperability of our existing identity documents, what is the outlook for getting to mutually recognized and interoperable e-IDs?

Despite these challenges, there are incredible gains to be made through standard setting and interoperability, not only to ensure security, but also to drive savings across organizations and governments alike. For example, in the U.K. alone, it is estimated that organizations could cut the costs of identity assurance from an annual £1.65 billion today to £150 million with standardized digital processes based on “make once, use many times.” The rising cost of fragmentation will continue to drive interoperability and standards.

Stay tuned to OWI for the third and final part of this series, discussing how identity is a fundamentally human metric.