Kim Cameron Kim is Architect of Identity in the IdentityDivision at Microsoft, where he champions the emergence of a privacy enhancing Identity Metasystem reaching across technologies, industries, vendors, continents and cultures. Kim blogs at identityblog.com, where he published the Laws of Identity.
What are the biggest opportunities in Digital ID and authentication today?
Identity experiences today are controlled by service providers - the entities creating and offering digital applications and services, not by end users or identity providers, into which category we need to place Digital ID. So the biggest opportunity for Digital ID is to have service providers adopt it. Experience internationally shows that gaining adoption of government-backed identity systems is non-trivial. Understanding the barriers to and facilitators of adoption in the Canadian context is probably the most useful conversation for us to have at this time. We need to clearly separate between Digital ID and authentication: service providers have other (in other words conventional) authentication choices. Even when enthusiastic about Digital ID, private sector service providers will retain conventional authentication as a customer choice in order not to lose customers due to the friction of shepherding them towards a new identity system. So Digital ID must see itself as one authentication alternative amongst others which must vie for integration into hundreds of thousands of existing service provider identity systems. A key factor here is that almost all of these systems are fragile homemade solutions built and deployed without significant domain expertise. Almost all of them represent significant risk of identity catastrophe because they are completely unable to withstand the elevated threats inherent in the current internet environment. Worse, since credentials are overwhelmingly reused, the weakest link threatens the rest of the system. Recently digital service providers have begun to clearly understand these risks and turn to cloud services specializing in identity management to replace their home-built systems. We have seen dramatic uptake in services that professionalize the management of customer (as well as partner and employee) identity. These services are not identity providers. They are services that operate as an extension of the service provider, integrating multiple sources of claims. A key opportunity for Digital ID would be to be made a ubiquitous “out-of-the-box” option within these professionalized offerings. It could then ride the technology trend towards up-leveling of identity systems to help achieve ubiquitous adoption.
What are the major trends on a global level? If you want, select a single word to describe them.
Professionalism. First and foremost, professionalism of the attackers, sophisticated use of the internet for distributed credential attacks, and the willingness to invest patiently in implanting agents of insider attack. Second, the professionalism of cloud identity services which have arisen in response to the new levels of threat, and which to survive are forced to meet and surpass the challenges of the attackers, spending billions to develop a whole new DNA based on standards, billions of signals, machine learning, and operational excellence. Specialized cloud identity services run on behalf of service providers imply the emergence of industry leaders - posing dangers of concentration. These dangers may well be mitigated by the third major trend – emergence of distributed ledger technology (including but not limited to blockchain) and its application to identity. The fourth major trend is internationalization. Canadian businesses will be interacting with consumers from other countries, just as Canadian consumers will be interacting with service providers worldwide, and this will loom large in determining the fate of Digital ID and ensuring it will remain one authentication choice amongst many.
What role will Digital ID and authentication play in increasing Canadians’ abilities to connect with businesses and governments?
Authentication, without necessarily revealing natural identity, is essential for many business and government use cases. If there is enough citizen acceptance, government may have the ability to require use of Digital ID on some or all of its sites. (If there is not, such a requirement might slow the adoption of digital government services, which would be disastrous.) Assuming citizen acceptance of Digital ID as a concept, as momentum grows it will lower the complexity and cost of interacting with government. To the extent that Canadian business service providers opt to support Digital ID as an authentication option, numerous factors will then impact the decision of users to employ it as their authentication choice with those providers. This will include whether they have previously enrolled in Digital ID; whether it simplifies registration for new services; and whether it makes sense to them that they use an option so closely associated with government identity to interact with a private enterprise. This in turn will be contingent on the privacy characteristics of the system, and the ability to communicate these characteristics to the citizenry.
How might we balance the needs of individual people and businesses and governments?
Everything we do needs to be about maintaining this balance better than anyone else in the world. As Canadians we know how to do that. The digital world has no borders and Canadian business will have infinite competition. Digital ID must offer the best privacy protections for individuals and the best guarantees of confidentiality for businesses if it is to be successful
How can we educate Canadians on Digital ID and authentication? Whose responsibility is it and why?
All you have to do is watch a two year old using an ipad and you realize the huge challenge in educating people about technology. The education really comes from usage and lives very deep in the organism. The education of service providers about Digital ID will be propelled by “early adopters” with success stories. It may well be appropriate for an entity like Identity North or the Digital ID and Authentication Partnership to develop a strategy for promulgating these stories. It seems that educating users about the advantages of Digital ID in interacting with government should be the responsibility of the government. In my view success at getting Digital ID accepted for interactions with businesses will require an understanding by the population of the privacy features of the system, or more explicitly that their natural expectation of “contextual separation”, as I called it in the Laws of Identity, will be respected if they use the system. Assuming this is the practical reality and can be easily demonstrated, government may decide to fund information programs for the population in keeping with its desire to stimulate growth of the digital economy.
What should Canadians be most excited about?
A great many informed, wise and practical steps have already been taken to advance Canadian Digital ID, and I assume the public policy, technical review and audit processes are in place to guarantee that the desired security and privacy features are present and visible in the operational deployed system. Now what is needed is for “Startup Digital ID” to be adopted and integrated into Canadian government and business. That means not positioning it as the panacea for everything, but demonstrating to both service providers and end users its practical superiority as a solution for the specific use cases requiring strong identification. Gaining adoption will in my view require great skill and the ability to ride the wave of concomitant technical trends such as professionalization of service-provider identity management systems in general, and integration with constantly evolving technology in a world which is guaranteed to realign itself. But adoption of Digital ID by service providers would result in a digital infrastructure which at least within a national trust framework operates at a superior level of safety and a minimal level of friction. Your average Canadian may not get “excited” about this, but it will certainly contribute to her enhanced quality of life and the acceleration of the digital economy – things that make Canadians happy and prosperous.
Can you describe what you see as the future of digital authentication?
I see global technology trends very much modulated by the characteristics of different geopolitical and cultural entities. The trek towards the future will be different in Europe, Asia, Africa, Latin America and North America. Just as something like Digital ID may provide unique features for the way business identification unfolds in Canada, one sees related but culturally specific manifestations in the UK as eVerify, and in the US, as connect.gov. At a technical level, digital authentication will everywhere be expressed as a set of claims made by one digital subject (a claims provider) about another. Some claims will continue to be identifiers, others will be attributes of the identified object. There will be many claims providers. All levels of government (federal, provincial, city) will assert claims specific to their level of jurisdiction. All countries will have such claims providers. In addition many private enterprises will issue claims. This includes social identity providers and entities like consumer credit bureaus and corporate reputation providers. It also includes issuers of professional licenses (medical, legal and accounting) and educational institutions. Devices will issue claims that can be combined with claims about people, including GPS location, presence of their operator and even proximity of second factors such as phones or wearable accessories. Health verification sites will issue claims testifying to level of protection of unmanaged devices. They will also be able to issue claims indicating a device corresponds to the signals received at international scale about device takeover by botnets and credential miners. Many service providers will also operate their own claims providers. For example, a hospital may issue claims about patients resulting from in person interviews and collection of identification documents that can be used by its own systems to increase level of assurance or drive performance of applications. Similarly, hospitals in a network could issue claims to each other. So in this multi-centered future we have moved beyond the “federation” model in which there is a single claims provider that provides information to a service provider. This is a post-domain model. There are numerous potential sources of claims that can be combined to make decisions about resources that can be accessed. New cloud technologies for service providers have emerged that use “Trust Framework Policies” to combine these claims into authentication and authorization decisions. They are capable of supporting the requirement that service providers operate at international scope where different options will make sense in different countries or continents. Another final twist on this is the ability to use the same “Trust Framework Policies” to support “Me2B” – “Me to Business” – for example see meeco.me. Me2B systems are now being called “Digital Relationship Managers”, better names than “Vendor Relationship Manager” or “Life Management Platform” used previously. The most important thing about Me2B is that the information about a user’s relationship with a service provider can be shared with the user’s own “Relationship Manager”, giving the user a control panel with which to manage all his digital relationships. These systems, capable of maintaining digitally signed assertions by a plethora of entities who know the user, are able both to enhance control and privacy by the end user and to provide means to increase the quality of identification.
Telus 25 York Street, 3rd Floor Toronto, Ontario
What Attendees are saying
“The only conference in Canada where one can meet the who’s who of knowledgeable people and champions of digital identity to discuss the real issues and opportunities in this space.” Dave Nikolejsin, Deputy Minister of Energy and Mines at Government of British Columbia
“A fantastic platform bringing together Canadian thought leaders and key industry experts to promote innovation in digital identity and authentication.” Mike Vanderkaden, VP Corporate Development, Equifax Canada