What is Identity Federation?

A way to link an identity and attributes across multiple distinct systems

Formally

The process of conveying an individual’s or entity’s verification, authentication, or authorization information to another party.

Simply put

How can we tell other people it’s you?

Status quo federation processes

Establishing methods to execute federated identities has become increasingly attractive as the ratio of online to physical interactions increases. The most visible manifestation of identity federation are single-sign on (SSO) configurations by which a user can access multiple service providers through a single authentication process. Common examples include using Google account to sign in to Airbnb, or entering Facebook credentials to set up an Pinterest account. Depending on the nature of the transaction, a service provider can federate an entity’s verified, authenticated, or authorized identity – any of those functions can be shared. Identity federation is one approach toward reducing the burden of duplicative procedures outlined above.

The United States government has taken steps toward providing federated services in its Federal identity, credentialing and access management (ICAM) architecture.  Some of these services include attribute exchange, credential translation, credential bridging, and policy alignment.

The problem with the status quo

Securing personally identifiable data is a challenge within one siloed service provider, and that problem only multiplies as identities are shared across institutions. With multiple interconnected accounts, the difficulty of achieving illegitimate access decreases while the incentive for doing so rises dramatically. Data ownership and consent also becomes an issue with federation — users are often not aware of how their identity data is used across accounts, and lose control of who can access their data and for what purposes.

In OWI’s definition of verification, we mentioned that a core problem with the status quo is users and organizations repeat costly and unwieldy verification processes. Federation of verified attributes is gaining traction, and in certain markets — such as the Nordics with NemID and BankID — this model is actually fairly mature.

In many markets, such as the U.S., a key limitation in federating verified attributes has been issues surrounding liability and trust. It is yet to be determined who is liable for damages if an Identity provider (IdP) provides incorrect data that is then used for decisioning.

Federation raises the question of consensus among service providers. Often there is no reliable mechanism for determining which identity verification, authentication, or authorization providers should be trusted, nor how that data can be meaningfully shared.

X