The new Strong Authentication Expert Group will develop an Identity Strong Authentication Framework, ID-SAFE, to address the business uses of two-factor authentication and then the technologies to address those challenges.
Roger Sullivan, Oracle Corp vice president and Liberty board member, said that defining business challenges comes first, and then the organization will look to incorporate existing standards that meet those needs before working on its own specs.
If I’m in a relationship with two parties and I strongly authenticate to one party, then my credentials are passed to the second party, but something goes wrong along the way, who is responsible for that? Sullivan said by way of an example of a business challenge.
Sullivan said that while the SAEG was formed three weeks ago at a Liberty meeting in Singapore, the organization has been thinking about these problems for some time. It was not a knee-jerk response to recent federal banking guidelines.
In October, the US Federal Financial Institutions Examination Council issued a mandate for online banks to require two-factor authentication for high-risk transactions by the end of next year, saying single-factor username/password authentication is inadequate.
One of the challenges for Liberty’s new SAEG is to figure out the best ways for banks to meet these regulations without creating too much of a burden on customers. Requiring USB tokens will turn off customers with older PCs without USB ports, for example.
If you create too-high barriers for customers you’ll turn them away at the door because it’s too hard to do business with them, Sullivan said.
Content from our partners
The new group comprises Liberty members American Express, Axalto, BMC, Diversinet, Falkin Systems, Financial Services Technology Consortium, HP, Intel, Kantega, NEC, NTT, Oracle, RSA, US Department of Defense, Vodafone, VeriSign and Wave Systems
We’ll be in close coordination with other standards groups, so we are not redundant, said Sullivan. Liberty’s earlier work with federated identify cross-pollinated heavily with the SAML work going on in OASIS, he said.
Liberty has set itself a fairly aggressive timeframe, with a draft spec planned for publication mid-2006.
RSA and VeriSign, the two major one-time password token vendors in the group, both said that the SAEG’s work will be complementary to their own standardization initiatives.
VeriSign’s two-year old Initiation for Open Authentication, for example, promises a reference architecture for strong authentication across all devices and networks and, according to director of product management Kevin Trilli, could work with SAEG.
RSA’s One-Time Password Specifications, published earlier this year, could also prove useful to the Liberty initiative, according to Shannon Kellog, director of government affairs at the company.
RSA has published six OTP specs, the most recent of which, OTP-ValidationService provides a way for applications to talk to authentication servers when users log in, based on the protocol used in RSA’s Authentication Manager server.
Both RSA and VeriSign are targeting consumer banking with their next waves of authentication systems, and the chief executives of both companies have made references this year to an authentication network that could be likened to an A network.
Sullivan said that’s a good analogy, but said that rather than A networks plugging into Visa or Mastercard’s authentication systems, a hypothetical new authentication system would be more federated and decentralized.
He suggested a federation framework where users can opt-in to a federated relationship between their primary service provider [a bank maybe] and a secondary service provider [a stockbroker, perhaps].
