Liberty Alliance Looks to Boost Secure Authentication

The Liberty Alliance Project, a global consortium of companies workingon federated identity management standards, Tuesday announced thecreation of a group to focus on developing open specifications forinteroperable strong authentication.

Liberty’s new Strong Authentication Expert Group (SAEG) includesorganizations such as American Express Co., the U.S. Department ofDefense’s Defense Manpower Data Center, the Financial ServicesTechnology Consortium (FSTC), Oracle Corp. and VeriSign Inc.

The new group has been created to speed the development of standardsfor strong authentication in a federated identity model, said RogerSullivan, a Liberty board member who is also a vice president ofbusiness development at Oracle.

“Identity federation has begun to really establish some traction in themarketplace,” Sullivan said. As a result, there’s a growing need for astandard definition of strong authentication, what it means, when itshould be used, what forms of authentications can be used and whatbusiness use cases exist for different types of strong authentication,he said.

“We are focused on the federation marketplace, but certainly theprinciples of what we are discussing can be applied” in otherenvironments as well, he said.

Identity federation allows users to log in to applications and servicesacross multiple domains and distributed, heterogeneous networks using asingle set of identity and authentication information. Once logged into one system, they do not need to log in again.

Over the next few months, Liberty’s SAEG will work on developing anIdentity Strong Authentication Framework to enable different types ofstrong authentication technologies such as smart cards, tokens andbiometrics that can work across organizations, networks and verticalmarket segments. The first draft of the framework is expected to bereleased in mid-2006.

The creation of the new group comes at a time of heightened interest instrong authentication methods largely driven by fears of online fraudand identity theft.

Such concerns recently prompted the Federal Financial InstitutionsExamination Council to release new guidelines calling on banks toupgrade current single-factor authentication processes — typicallybased on usernames and passwords — with stronger forms ofauthentication.

Though the Liberty Group’s effort is targeted specifically at federatedidentity networks, it also is relevant to the banking sector, said JimSalters, director of technology development and business initiatives atthe FSTC.

The FSTC, whose members include most major financial institutions inthe U.S., has for the past several months been working on a separateinitiative to define guidelines and standards for better mutualauthentication between retail bankers and their customers.

The blueprint for mutual authentication is being developed by a25-member FSTC group — which includes eight of the top 10 banks in thecountry — and is designed to make it easier for financial institutionsto deploy strong authentication technologies and for consumers to adoptthem, Salters said.

“In a nutshell, it is about getting financial institutions together todiscuss the commonalities that need to be in place for deployingstronger authentication,” Salters said. “The key driver is how do weretain some of the commonalities that are in place today [across theretail banking sector] so that we can prevent customers from gettingconfused?

“It is also about articulating to vendors what the requirements for thefinancial industry are as far as interoperability and [technology]features,” he said.

By Jaikumar Vijayan – Computerworld (US online)