20 October 2012

FIM and its discontents

'Economic tussles in federated identity management' by Susan Landau & Tyler Moore in (2012) 17(10) First Monday considers federated identity management (FIM), which "enables a user to authenticate once and access privileged information across disparate domains".
FIM’s proponents, who see the technology as providing security and ease of use, include governments and leaders in the IT industry. Indeed, a cornerstone of the current U.S. government’s efforts to secure cyberspace is its “National Strategy for Trusted Identities in Cyberspace” (U.S. Department of Commerce, 2011). Yet adoption of federated identity management systems has been slow.
From disputes over liability assignment for authentication failures to concerns over privacy, there have been many explanations for the slow uptake of federated identity management systems. We believe the problem is embedded in stakeholder incentives. We present an economic perspective of stakeholder incentives that sheds light on why some applications have embraced FIM while others have struggled. To do so, we begin by briefly analyzing seven use cases of successful and unsuccessful FIM deployments. From this we identify four critical tussles that may arise between stakeholders when engineering a FIM system. We show how the successful deployments have resolved the tussles, whereas the unsuccessful deployments have not.
Landau & Moore conclude -
In seeking to understand why federated identity management systems have not yet succeeded in the broad way anticipated at the beginning of the last decade, many have pointed to the uncertainty surrounding liability as a major obstacle. We believe this mischaracterizes the problem. Instead, we have argued that liability fits within larger set of economic tussles that arise between stakeholders in any engineered system.
In order for a federated identity management system to succeed, all parties in the system must gain. Otherwise at least one has no incentive to participate. A user has to gain through ease of use, access to more services, greater privacy, or improved security. A Service Provider has to gain by acquiring more user data (the Facebook model), in the ability to reach to larger markets, or by insulation from liability for failures (as happens in some instances of credit card usage). An Identity Provider must also gain from the system. The gain in control of user data and of the user authentication process are obvious benefits to the Identity Provider, but those gains must be offset by granting some benefits to the Service Provider and user.
Considering the situation from the economic perspective of gain, it is clear that the early enterprise–oriented systems such as the Liberty Alliance protocols did not provide sufficient value to the individual so as to create widespread adoption (e.g., in the open Internet). However, certain instantiations such as InCommon or the NIH Federated system did provide such benefits; in those cases, uptake was high (it might be argued that in those two instances the users did not have alternatives, but the fact remains that the systems provided clear advantages to users).
Privacy, interpreted here as user control over personal data collection, should also be viewed from this perspective. Upon examining what has been produced in the market so far by OpenID, Facebook, and Google+, users have been ignored in the tussle over who controls user data. To handle this, some have proposed identity management systems such as Higgins (2009) or User Managed Access (Kantara Initiative, 2011), in which control over transactional information resides with end users, who control what data to share with Identity and Service Providers. The issue of control is a complicated one. Ease-of-use and user-data privacy are often in conflict. The success of the Kantara Initiative User Managed Access and similar projects depends critically on easy methods for users to control their data.
Government regulators and policy–makers also have a role to play if user privacy is to be included in successful systems. Here European data privacy commissioners have been active; their negative response to Passport and positive one to the Liberty Alliance protocols were important in the early days of federated identity management systems. We suspect that the best prospect for achieving user privacy in future FIM deployments will require an active role by policy–makers in advocating on behalf of users, who are largely voiceless in current debates over FIM proposals. The recent Facebook IPO, and the new economic pressures that will result from the social network becoming publicly owned, may accelerate regulators’ efforts in user privacy protections.
What are the lessons for the future?
Federated identity management systems exhibit a number of economic tussles, of which liability for failures is only one. As in any complex engineered system, the tussles cannot be resolved separately. Liability must be viewed as part of a larger set of economic conflicts occurring between the user, Identity Provider, and Service Provider. This provides an opportunity for resolving the liability problem, which properly belongs in the context of other tussles. Seeing liability this way creates opportunities for compromise. We are therefore optimistic that taking the broader view of all tussles may actually simplify the liability problem.
Another way to put this is that if the Identity Provider accrues (most of) the benefits, it would be natural to also expect the Identity Provider to accrue (most of) the risk. At one level, that is obvious; at another, by isolating the various tussles, this provides room to determine the bargaining that must arise between the three players. Of these, only two, the Identity Provider and Service Provider, are typically in the explicit negotiations; the users, of course, walk with their feet (or in this case, their fingers).
Another observation is that the payment–card networks have largely overcome liability issues between stakeholders and deployed a highly successful, if technically imperfect, system. When systems have failed to succeed commercially, it is usually caused by an unfair distribution of responsibilities and benefits between Identity Providers, Service Providers and users. One cannot expect any technology, including FIM, to solve irreconcilable incentive incompatibilities on its own. The key to success lies in setting the rules of the platform so that each stakeholder derives benefit from cooperation.
A key function of payment–card networks in e-commerce has been their ability to authenticate users for completing transactions. The early participation of American Express in the Liberty Alliance shows that even though there is less active participation now, there was initial interest by the payment-card industry in federated systems.
Payment-card networks already provide a usable solution to authenticating payments, the primary requirement of many e-commerce applications. This weakens the business case for many aspiring identity-management solutions, particularly given the strong network effects present in two-sided markets and the high fixed costs of deployment. Furthermore, a widely deployed FIM system might commoditize payment processing, particularly if their main competitive advantage is ubiquitous authentication of cardholders.
Thus we conclude with an open question: can payment-card networks peacefully coexist with a successful, widespread deployment of a federated identity management system, or will the present success of payment-card networks prevent federated identity management systems from taking off in the open Internet?