Identity Management Overview

Fig. 1 : Identity legend A model of identity can been as follows [6]:

¾ User who wants to access to a service

¾ Identity Provider (IdP): is the issuer of user identity

¾ Service Provider (SP): is the relay party imposing identity check

¾ Identity (Id) : is a set user’s attributes

¾ Personal Authentication Device (PDA) : Device holding various identifiers and credentials and could be used for mobility

Fig. 2 : relationship between identities, identifiers and entity

The relationship between entities, identities and identifiers are shown in Fig.2 which illustrates that an entity, such as a user, may have multiple identities, and each identity may consist of multiple attributes that can be unique or non-unique identifiers.

Identity management refers to “the process of representing, using, maintaining, deprovisioning and authenticating entities as digital identities in computer networks”.

Authentication is the process of verifying claims about holding specific identities. A failure at this stage will threaten the validity in the entire system. The technology is constantly finding stronger authentication using claims based on:

• Something you know: password, PIN

• Something you have: one-time-password

• Something you are: your voice, face, fingerprint (Biometrics)

• Your position

• Some combination of the four.

The BT report [3] has highlighted some interesting points to meet the challenges of identity theft and fraud:

• Developing risk calculation and assessment methods

• Monitoring user behavior to calculate risk

• Building trust and value with the user or consumer

• Engaging the cooperation of the user or consumer with transparency and without complexity or shifting the liability to consumer

• Taking a staged approach to authentication deployment and process challenges, using more advanced technologies

Digital identity should mange three connected vertexes: usability, cost and risk as illustrated in fig 3.

Fig. 3: Digital identity environment to manage

The user should be aware of the risk he/she facing if his/her device/software's security is compromised. The usability is the second aspect that should be guaranty to the user unless he/she will find the system difficult which could be a source of security problem. Indeed, a lot of users when they are flooded by passwords write them down and hide them in a secrete place under their keyboard. Furthermore, the difficulty to deploy and manage a large number of identities discourages the use of identity management system. The cost of a system should be well studied and balanced related to risk and usability. Many systems such as one-Time-Password

Digit al Identity

Risk Cost

Usability

token are not widely used because they are too costly for a widespread deployment for large institutions. Traditionally identity management was seen as service provider centric as it was designed to fulfill the requirements of service provider, such as cost effectiveness and scalability. The users were neglected in many aspects because they were forced to memorize difficult or too many passwords.

Identity management systems are elaborated to deal with the following core facets [7]:

9 Reducing identity theft: The problem of identity theft is becoming a major one, mainly in the online environment. The providers need more efficient system to tackle this problem.

9 Management: The amount of digital identities per person will increase, so the users need convenient support to manage these identities and the corresponding authentication.

9 Reachability : The management of reachability allows user to handle their contacts to prevent misuse of their address (spam) or unsolicited phone calls 9 Authenticity: Ensuring authenticity with authentication, integrity and

non-repudiation mechanisms can prevent from identity theft.

9 Anonymity and pseudonymity: providing anonymity prevent from tracking or identifying the users of a service.

9 Organization personal data management: A quick method to create, modify a delete work accounts is needed, especially in big organizations.

Without improved usability of identity management [7], for example, weak passwords used by users on many Web sites, the number of successful attacks will remain high. To facilitate interacting with unknown entities, simple recognition rather than authentication of a real-world identity has been proposed, which usually involves manual enrollment steps in the real-world [4]. Usability is indeed enhanced, if there is no manual task needed. There might be a weaker level of security but that level may be sufficient for some actions, such as, logging to a mobile game platform. Single Sign-On (SSO) is the name given to the requirements of eliminating multiple password issues and dangerous password.

When we use multiple user Id’s and passwords just to use the emails systems and file servers at work, we feel the inconvenience that comes from having multiple identities. The second problem is the scattering of identity data which causes problems for the integration of IT systems. Moreover, it simplifies the end-user experience and enhances security via identity-based access technology.

Microsoft first largest identity management system was Passport Network. It was a very large and widespread Microsoft Internet service to be an identity provider for the MSN and Microsoft properties, and to be an identity provider for the Internet. However, with Passport, Microsoft was suspected by many persons of intending to have an absolute control over the identity information of Internet users and thus exploiting them for its own interests. Passport failed to become the Internet identity management tool. Since then, Microsoft has clearly understood that an identity management solution cannot succeed unless some basic rules are respected [8]. That’s why Microsoft’s Identity Architect, Kim Cameron, has stated the seven laws of identity. His motivation was purely practical in determining the prerequisites of successful identity management system. He formulated the essential principles to maintain privacy and security.

1. User control and consent over the handling of their data 2. Minimal disclosure of data, and for specified purpose.

3. Information should only be disclosed to people who have a justifiable need for it.

4. The system must provide identifiers for both bilateral relationships between parties, and for incoming unsolicited communications.

5. It must support diverse operators and technologies.

6. It must be perceived as highly reliable and predictable.

7. There must be a consistent user experience across multiple identity systems and using multiple technologies.

Most systems do not fulfill several of these tests particularly they are deficient in fine-tuning the access control over identity to minimize disclosure of data.

The formulated Cameron’s principles are very clear but they are not enough explicit to compare finely identity management systems. That’s why we will define explicitly the identity requirements.