Liberty Needs to Know Who You Are

The Liberty Alliance Project formed the Strong Authentication Expert Group
(SAEG) to promote trusty authentication across disparate pieces of hardware
and software on a computer network.

Liberty, whose goals include ensuring safe Web transactions on computers,
created SAEG to write Identity Strong Authentication Framework (ID-SAFE) for
promoting authentication across computer networks.

SAEG, which is made up of the U.S. Department of Defense, HP, Intel, Oracle, BMC Software, American Express, Vodafone and VeriSign, is devising ID-SAFE to protect consumers against ID theft and fraud. It will also help companies find ways to use more than usernames and passwords to strengthen online authentication.

The challenge is architecting the authentication so that users can gain
reliable access with hardware and software tokens, smart cards, SMS-based
systems and biometrics.

While single-factor authentication usually consists of simply a PIN,
strong authentication requires at least two forms of identity
authentication to access a network or online application. This could be a smart card in addition to a PIN.

Roger Sullivan, a member of the Liberty board and vice president at Oracle,
said SAEG’s challenge is to introduce granularity in strong authentication
and recognize that one-size-fits-all solutions will not necessarily work
for consumers or Fortune 1000 companies.

“The dilemma is we want to strive toward an easy-to-implement, easy-to-transact business in an online fashion, but we want to do it in a way that
is as secure as is appropriate,” Sullivan said in an interview. “There are
shades of gray in the requirements.

“For example, you might be able to check balances with single-factor
authentication, but you may not move them or transfer them without
two-factor authentication,” he continued. “Maybe you could move balances within accounts
from checking to savings under the same domain control with a two-factor
authentication, but you could not transfer them out without a third-factor

Consumers and corporations alike are struggling to combat online fraud and
identity theft. In these schemes, perpetrators often use people’s personal
information to pose as genuine consumers and siphon money from victims’ bank
accounts or rack up charges on credit cards.

A group such as SAEG, then, was inevitable. But the timing is interesting.

The news comes less than a month after the Federal Financial Institutions Examination Council (FFIEC) issued new guidance for banks on online
authentication, noting that passwords are insufficient as the only means of
security to protect a bank account.

The new rules call for banks to use better ways to authenticate the
identity of customers using online products and services. U.S.-based banks
are expected to achieve compliance with the new FFIEC guidance by the end of

Sullivan said Liberty is developing ID-SAFE based on its popular Liberty
Federation Framework (ID-FF) and Liberty Web Services Framework, (ID-WSF).
The group expects to release the first version of ID-SAFE in 2006, and users
can expect to see market requirement documents before that.

News Around the Web