RealTime IT News

Liberty Needs to Know Who You Are

The Liberty Alliance Project formed the Strong Authentication Expert Group (SAEG) to promote trusty authentication across disparate pieces of hardware and software on a computer network.

Liberty, whose goals include ensuring safe Web transactions on computers, created SAEG to write Identity Strong Authentication Framework (ID-SAFE) for promoting authentication across computer networks.

SAEG, which is made up of the U.S. Department of Defense, HP, Intel, Oracle, BMC Software, American Express, Vodafone and VeriSign, is devising ID-SAFE to protect consumers against ID theft and fraud. It will also help companies find ways to use more than usernames and passwords to strengthen online authentication.

The challenge is architecting the authentication so that users can gain reliable access with hardware and software tokens, smart cards, SMS-based systems and biometrics.

While single-factor authentication usually consists of simply a PIN, strong authentication requires at least two forms of identity authentication to access a network or online application. This could be a smart card in addition to a PIN.

Roger Sullivan, a member of the Liberty board and vice president at Oracle, said SAEG's challenge is to introduce granularity in strong authentication and recognize that one-size-fits-all solutions will not necessarily work for consumers or Fortune 1000 companies.

"The dilemma is we want to strive toward an easy-to-implement, easy-to-transact business in an online fashion, but we want to do it in a way that is as secure as is appropriate," Sullivan said in an interview. "There are shades of gray in the requirements.

"For example, you might be able to check balances with single-factor authentication, but you may not move them or transfer them without two-factor authentication," he continued. "Maybe you could move balances within accounts from checking to savings under the same domain control with a two-factor authentication, but you could not transfer them out without a third-factor authentication."

Consumers and corporations alike are struggling to combat online fraud and identity theft. In these schemes, perpetrators often use people's personal information to pose as genuine consumers and siphon money from victims' bank accounts or rack up charges on credit cards.

A group such as SAEG, then, was inevitable. But the timing is interesting.

The news comes less than a month after the Federal Financial Institutions Examination Council (FFIEC) issued new guidance for banks on online authentication, noting that passwords are insufficient as the only means of security to protect a bank account.

The new rules call for banks to use better ways to authenticate the identity of customers using online products and services. U.S.-based banks are expected to achieve compliance with the new FFIEC guidance by the end of 2006.

Sullivan said Liberty is developing ID-SAFE based on its popular Liberty Federation Framework (ID-FF) and Liberty Web Services Framework, (ID-WSF). The group expects to release the first version of ID-SAFE in 2006, and users can expect to see market requirement documents before that.