Identity 2.0
Identity 2.0, also called digital identity, is set of methods for identity verification on the internet using emerging user-centric technologies such as Information Cards or OpenID. Identity 2.0 stems from the Web 2.0 theory of the World Wide Web transition. Its emphasis is a simple and open method of identitying transactions similar to those in the physical world, such as driver's license.[2]
Industry analyst firm the Burton Group described it as follows: "In Identity 2.0, usage of identity more closely resembles today's offline identity systems, but with the advantages of a digital medium. As with a driver's license, the issuer provides the user with a certified document containing claims. The user can then choose to show this information when the situation requires".
The current internet model makes taking one's identification difficult from site to site. This was described in the Burton Group report as, "today's identity systems—which represent a “1.0” architecture, feature strong support for domain management but exhibit scalability and flexibility limitations when faced with the broader identity requirements of Internet scenarios." In that light, user-centric proponents believe "federation protocols (from Liberty Alliance, the Organization for the Advancement of Structured Information Standards [OASIS], and the Web Services working group) are bastions of a domain-centric model but do little to recast the architectural foundations of identity systems to support grander structures."[3]
A major road block to creating Identity 2.0 is the strength of the existing infrastructure. Industry analysts Gartner Research reflect this perspective in their August 2006 report, stating
Identity 2.0 will be relevant to online companies — and particularly consumer-focused companies — but not before 2008. There are various Identity 2.0 initiatives — including Microsoft's CardSpace (formerly InfoCard), Sxip and Higgins. While all the initiatives leverage Internet and Web protocols, there are different approaches for storing identity attributes and in securing the interactions; these different approaches are not clearly interoperable and lack a unifying standards-based framework. Success for Identity 2.0 approaches will also require service providers to modify their Web sites and services to request, accept and authenticate identity data from clients and identity providers. This presents a potential "chicken and egg" problem whereby consumers don’t perceive the need to create digital personas until services are available to use them.[4]
A year later, Gartner published an updated perspective in their 2007 Hype Cycle Report on IAM Technologies, that positions user-centric, Identity 2.0 technologies such as OpenID, CardSpace and Higgins as "technology triggers" that are "on the rise", though two to five years away from mainstream adoption. They recommend that consumer facing organizations monitor the evolution of these "Personal Identity Frameworks".[5]
In an Identity 2.0 approach, rather than using multiple username/passwords to register onto a website (like the current model), Identity 2.0 would allow users to use one ID that is transparent and flexible. Identity 2.0 is focused around the user, not centered on a directory. It requires identified transactions between users and agents (websites) using verifiable data, thus providing more traceable transactions.
Using one identity all of the time could lead to compromised privacy or security, especially in the following cases:
- when an open identity is phished or compromised,[6]
- when users would not usually choose to use a strongly authenticated identity but are forced to do so by system properties or market pressure,
- when unrelated actions are linked with the purpose of predicting or controlling the behaviour of a user.
Verifiable but unlinkable data can be provided by users via anonymous digital credentials. The subtleties of building up trust in situations of less than perfect knowledge, which are intuitively understood in the physical world, are investigated by trust negotiation.
See also
- Authentication
- Digital Identity
- Higgins trust framework
- Identity Metasystem
- Information Card
- LID
- SAML
- XRI XDI
- YADIS
- Global Trust Center
References
- ↑ Dion Hinchcliffe (2006-01-22). "Making The Writeable Web A Responsible Place". Web Services Journal. SYS-CON Media. Archived from the original on 2006-01-23. Retrieved 2006-10-31.
- ↑ Dion Hinchcliffe (2006-07-06). "Identity 1.x: Microsoft Live ID and Google Accounts". Enterprise Web 2.0. CNET Networks. Retrieved 2006-10-31.
- ↑ Mike Neuenschwander (2005-12-20). "User-Centric Identity Management and the Enterprise: Why Empowering Users is Good Business". [burtongroup.com The Burton Group]. Retrieved 2006-10-30.
- ↑ Gregg Kreizman; Ray Wagner; et al. (2006-08-09). "Findings: Identity 2.0 Is Too Ill-Defined for Imminent Deployment". Gartner. Retrieved 2007-10-30.
- ↑ Gregg Kreizman; John Enck; et al. (2007-06-21). "Hype Cycle for Identity and Access Management Technologies, 2007". Gartner. Retrieved 2007-10-17.
- ↑ "Internet Security Intelligence Briefing, March 2006 (Volume 4, Issue I)" (PDF). Internet Security Intelligence Briefing. VeriSign. February 2006. p. 5. Retrieved 2008-08-03.
First and foremost, the developers of the Identity 2.0 protocols must make certain that deployment of Identity 2.0 does not create new opportunities for credential theft. Theft of a credential valid at one site is bad; theft of a credential valid at multiple sites is a disaster.
External links
- Phil Windley: Identity Management Architectures and Digital Identity