Blog

Will Strong Authentication ever Reach a Mass Scale? (Part 2 of 2)

Back to the initial point of this article...

Antiquated, paper-based processes should be decomposed and replaced by a modern, electronic solutions. Authenticating a digital identity will be an essential building block in the development of such a solution. Just like the electric battery will be a building block in the rise of the electric car (ala Shai Agassi). And here is where I commend the vision and entrepreneurship of Brent and Sal. They have both come up with multi-factor authentication solutions that meet Kantara Initiative's Identity Assurance Framework Assurance Levels 3 (AL3) and 4 (AL4) credential management requirements from a technical standpoint. In addition, and more importantly, they employ novel business models that make them feasible, thinking in Internet scale (and not in expensive, non-scalable models such as HSPD 12).

It is only with this kind of perspective that the next generation of strong authentication solutions will become a reality. The focus needs to be well beyond technology: how can organizations benefit from economies of scale, mass adoption and leverage ubiquitous 21^st century infrastructure such as cell phones and telephony in general?

Resolving this issue will be far more important to identity-enabling high-value services, than whether the credentials and claimes are exchanged via SAML, OpenID, CardSpace, good old X.509, or one-time passwords (OTP) via SMS. At this point in time, this is the easiest piece of the puzzle.

Disclaimer for the Identirati: I really don't mean to trivialize federated identity technology, or offend those producing great work and advances in this area;  it is just that these technological challenges are dwarfed by those in the business area. Hopefully I won't be stoned to death for making this statement.

It is all about the business model

We are on the brink of a tipping point. But for a significant change to take place, we need to stop thinking about the obvious business model that has been attempted for years on how to provide strong authentication in large scale: the end user [or its sponsoring organization] pays.

Let me illustrate: In order to mitigate risks in accessing sensitive information, many organizations sponsor their user base (employees, contractors, vendors, suppliers, consumers, etc.) strong authentication credentials, along with the identity proofing and issuance process that each user needs to go through to get the credential. For instance, employers issue OTP devices to their employee for remote access into their Intranet, banks issue OTP devices, USB tokens or smart cards to their customers for sensitive transactions, pharmaceutical companies issue high-assurance X.509 certificates to their R&D staff for electronic submissions to the FDA and US Patent Office, and similarly aerospace and defense companies issue high-assurance certificates to their workforce to encrypt and authenticate when accessing DoD-sensitive data.

In most if not all cases, the organization foots the entire bill, and limits the use of the credential to the purposes intended and nothing more (even in the cases of federated use, such as SAFE-BioPharma or CertiPath). While this contains their risk and liability exposure, it also increases the cost involved in the digitalization of the process, and severely constrains the possibility of mass adoption. Also, for the fashion and public health conscious, creates the dreaded "token necklace" syndrome. Burton Group's Mark Diodati published an article on this topic in October 2009, which I found interesting.

A look into the future

OK, so let's fast track to the 21^st century - all right, not exactly... maybe beyond the first or second decade. After several false starts by several developed countries' governments, entrepreneurs finally figured out business models that made strong authentication economically viable at Internet scale.

The world has understood that charging organizations or even end users for a digital credential simply does not work. Instead, successful identity-enabled services leverage ubiquitous infrastructure such as cell phones, and do not charge on a per credential basis, but instead for the use of the service. Operators exist who are willing to give out strong-authentication devices for free or for a nominal service fee. These devices can carry more than one digital identity credential in a FIPS 140-2 certified compartment. The same form-factor and even the same credential can be leveraged across multiple services. Service providers collectively subsidize the cost of the credential and form-factor, similar to the 20^th century credit card and ATM networks (oh my God, did I say this out loud?). For many services providers, the cost of providing strong authentication at AL3 and AL4 is much less than the cost of fraud they would face with lower levels of assurance.

The average citizen carries a strong-authentication physical device that contains their most sensitive digital credentials; the ones that they use to perform the most sensitive transactions (AL4) such as

• Perform high-value financial operations
• Pay taxes
• Gain access to healthcare services
• Play in their online casino
• Be able to buy liquor by proving that they are over 21-years old
• Digitally sign their now-electronic mortgage application (wouldn't this be nice?).

They rely on their PDA or cell phone, and in some cases on other voice-based channels such as an old-fashion land line), to securely authenticate and gain access to other services, which may not be as sensitive (AL3) such as buying personal items online, bidding on eBay for some memorabilia, checking in for a flight, confirming a stock purchase transaction, and accessing consumer online banking sites. All without having to pay for the issuance of the credential, or for the authentication event.

I envision a near future, in which society will enjoy some basic benefits at no direct cost: access to breathing air, access to the Internet, and access to strong and legally enforceable authentication in a digital context which will enable secure access to day-to-day electronic and online services. High value identity-enabled services will be so popular, trustworthy and successful, that the regular user would not even remember that at some point in time, strong authentication was doubted to ever reach mass scale.

Wow, that sounded a lot like Isaac Asimov. I strongly encourage you to read and provide feedback to Department of Homeland Security's [Draft] National Strategy for Trusted Identities in Cyberspace,

Your comments are most welcome.

Will Strong Authentication ever Reach a Mass Scale? (Part 1 of 2)

It has to, there is just no other way...

The motivation for this article came from the recent publication of Department of Homeland Security's [Draft] National Strategy for Trusted Identities in Cyberspace, on which I collaborated; as well as conversations I had with Brent Williams at Anakam and Sal Khan at Atrust. Both consider authentication and digital identity as essential components to enabling digital trust in an electronic and online context at Internet scale.

Background

For many years, I have been pondering digital identity (an electronic representation of humans in a digital environment) and identity and access management (IAM): how can they truly enable trust in electronic and online transactions, allowing us to fully seize the benefits of the Internet age?

As I alluded to in a past article, I have some history on this topic going back to 2006. I label myself an identity assurance activist.

Despite the great advances in technology over the last two decades, as a society, we are still being held back from fully realizing the benefits of the 21^st century Internet. This is primarily due to the issue of trust (or lack of it) in online and electronic channels, which are highly dependant on reliable authentication.

Allow me to illustrate: If you ever buy real estate in the US, you would have go through a process that hasn't changed much since the 19^th century, minus the Pony Express courier service. You would have enjoyed the slow, error-prone, labor-intensive and highly irritating, paper-based process of inspecting, appraising, transacting, registering, insuring and financing the property followed by an 18^th century process of contracting services for construction or home improvement. For your sake (and mine), will not get into this highly satisfying, ulcer-generating process. All of this, on the average, employs 12 different parties ranging from appraisers, lenders, local and state government, brokers, insurers, sellers, attorneys, cousins, siblings, party-crashers and the like. I believe that the founding fathers used more sophisticated technology to write the United States constitution, than the average county clerk utilizes to register a property deed. Have you ever stopped to wonder why, in the 21^st century, the age of web 2.0, federated identity, facebook, twitter, and the online social networks, we still have to endure and subsidize such an inefficient way of doing business?

Couldn't I leverage my PayPal account to take care of this? How about my facebook or gmail account? Heck, aren't we supposed to buy everything through eBay or Amazon nowadays?

What's going on here? Is it perhaps the generational clashes and dilemmas of losing our ancient traditions and values in this fast-paced society that makes us hold on to these relics? I think not.

I could point out other day-to-day examples in healthcare, social security administration, insurance claim processing, cross-border trade, and bank accounts, but that would make this article way too long.

Why are these processes so archaic even today?

I do not have a good answer. There are a multitude of factors, including history and habit. One reason is the fear that moving toward an electronic or online process increases the risk of fraud to levels that we cannot manage or understand.

Nonsense. I would say that the paper-based processes we have today are more fraud-prone. We have all suffered from such fraud in one way or another. By migrating to electronic processes, we won't be worst off, so we must take the leap forward. Fear of risks is no justification holding back.

These processes must be modernized. It's just simple physics: manual labor is no longer scalable or sustainable. It cannot keep up with the backlog of paperwork required in our society. As the baby boomer generation retires and veterans come back from war, this will only get worse. Therefore, automation and process redefinition are essential.

 During my days in banking, I learned that the back office processing of mortgages and foreclosures is even more daunting, manual and inefficient. The recent subprime crisis has revealed our inability to keep up with the paperwork backlog.

We have not fully identified the economic benefit and the market opportunity of digitizing these inefficient processes. That is why they have stayed the way they have up until now.

What does it have to do with Identity or Authentication?

It has everything to do with [digital] identity. Identity is the cornerstone of the issue at hand.

If you followed my train of thought to this point, then you are ready for this realization: couldn't we apply the same constructs of IAM that we typically utilize in the Enterprise or Internet consumer worlds to automate these processes and advance as a society? Of course we can.

Then why don't we? Wouldn't we, as a society, be better off without these inefficiencies, which are carbon-footprint heavy and costly? Of course we would.

So why haven't we modernized these processes?

This is not a simple problem to solve. Moving our everyday business processes from paper to electronic will require a quantum leap evolution (e.g. from horse to automobile). When Henry Ford introduced the automobile, people no longer wished they had faster horses.

Some of these processes will need to be decomposed to atomic pieces, and reassembled in the appropriate way, in ways that reflect today's reality. This change will be drastic, simply because we have exhausted the physical limits to bear a gradual shift. Just like we have not yet realized that a gradual shift from fossil fuel vehicles, to hybrid or fuel cell, to truly zero-footprint energy sources will never occur.

I am not talking about PDF'ing paper forms and using document management systems and workflows with electronic or digital signatures. I am talking about forever forgetting that the document would ever be printed, or whether it fits in a Letter or A4 sheet of paper. This will force us to think about digital identities in 21^st century style.

Technology will be an integral part of this shift. More important is the definition of standards for brokering and establishing trust at the desired level for the kind of transaction being performed. Having the appropriate legal framework to ensure that provisions and protections can be enforced is also essential. On this topic, I applaud Tom Smedinghoff's efforts with the American Bar Association IDM Task Force, which are necessary and critical. In addition, the business model that will make strong authentication viable, and will be the focus of part 2 of this article.

[To be continued...]

A Case Study: Addressing NERC CIP using an IAM Strategy

Given the increased relevance of NERC CIP compliance in the Energy sector over the last 12 months, we have been focusing on this topic from an Identity and Access Management (IAM) perspective since early this year.  Our CTO, Ash Motiwala posted a couple of very good blog articles on this subject: A NERC CIP Quick Win = Recertification + Closed Loop Deprovisioning and An Introduction to NERC CIP Compliance and Identity & Access Management Technologies.

Next week, on Tuesday, May 11^th from 3 to 4 pm EDT, we will be hosting a webinar featuring a case study by one of our clients in the Energy sector: PPL.  Details for the event and the registration page are available here.

PPL, formerly known as PP&L or Pennsylvania Power and Light, is an energy company headquartered in Allentown, Pennsylvania.  It currently controls over 11,000 megawatts (MW) of electrical generating capacity in the United States, primarily in Pennsylvania and Montana, and delivers electricity to 1.4 million customers in Pennsylvania.

I will be presenting, alongside Pete Johnson, Director of Information Assurance at PPL, and will be discussing their approach to streamlining and maintaining compliance with several regulatory requirements, with a specific focus on NERC CIP, using IAM.  I had the opportunity to work directly with Pete and the PPL team in defining and starting the execution on their IAM strategy, and I believe that this case study will be valuable to any organization subject to multiple regulations in any vertical, not just Energy.  Evidently, the stiff fines that are now enforceable by NERC (of up to US$1M per incident per day), are a very strong driver in the Energy vertical.

Consistent with our style, this session will be very "meat-and-potatoes".  We intend to keep this vendor agnostic, without marketing jargon, focusing mainly on the practical knowledge and experience gained by PPL.  Our intended audience is IT Managers, IT Professionals, CIO, CISO, COO, CTO, IT Directors, and Solution Architects.  We are planning to leave time for a Q&A session towards the end, so I hope you can join us.

A Busy Week at Both HIMSS and RSA Conferences

 I am just returning from a week of travel and conference activity, which start for me in Newark, NJ on Monday March 1, from there to Atlanta, GA for the HIMSS Conference 2010 (north of 25,000 attendees), and then on to San Francisco, CA on Wednesday March 3 for the last 2 days of RSA Conference 2010 (about 16,000 attendees), and then back home in NJ on Friday March 5. In all, last week was very busy but very productive for me.

It was good to see a lot of familiar faces as well as new ones, and to see that despite the economy, both of these conferences seem to be well-attended, with tons of vendor participation, and great sessions all around. Maybe this is an uncommon economic indicator (worthy of mention in the NY NPR radio show by Brian Lehrer). This time around I must confess that I spent most of my time outside of the conference session and exhibits meeting with colleagues, prospective customers and friends. For me, this was one of the most productive conference trips I've had in a few years.  Since my focus is always on identity and access management, it is exciting to see the convergence of business [and in many cases technical] requirements and various trends across industries, which drive the need for identity and access management as both an enabler and risk mitigation approach.

At the HIMSS conference, a theme that was very top of mind was "meaningful use" which is driving a lot of vendors and healthcare providers towards electronic health record (EHR) technology, and specifically, the 45 CFR Part 170 specifications. It is clear the US Government incentives for those providers (both professionals and hospitals) that can demonstrate adherence to the meaningful use guidelines is generating momentum.

I had the opportunity to present at HIMSS, thanks to our partner Novell. My topic was "Identity Assurance in Healthcare: what does it mean to you?" (below is my slide deck)

While the 45 CFR Part 170 criteria was published on December 30, 2009, it is interesting to see that at the heart of the requirements regarding authentication, specifically §170.210 "Standards for health information technology to protect electronic health information created, maintained, and exchanged", is the issue of identity assurance, which was captured very cleverly in the 1993 New Yorker cartoon by Peter Steiner, where one dog with a paw on a computer's keyboard tells another: "On the Internet, nobody knows you're a dog".  For well over 15 years, this very issue: knowing, with certainty, who is at the end of the keyboard, has been one of the biggest challenges in the enablement of true paperless transactions and trusted online services in all industry verticals. And healthcare has been no exception.

Inevitably, these requirements and standards will impact the way healthcare information systems will operate and interconnect, whether they are new or legacy, and inaction will most likely not be an option.

A Windfall for Identity Assurance

First off, I would like to would like to express my sympathy to those affected by the terrible earthquake that hit Chile this past weekend.

Envio mi palabra de aliento y de optimismo al pueblo Chileno. Tengo muy buenos amigos Chilenos y a todos les deseo lo mejor en vista de estas circunstancias, a sus familias y a todos los afectados... Las cosas de Dios son sin duda alguna indescrifrables.

In this blog post, I would like to share with you some recent developments in the world of identity assurance, which as you know from my recent blog posts: "Identity Assurance, an everyday life issue" part 1 and part 2, is a top of mind issue for me and for us here at Identropy. Quite frankly, I could not hope for better timing for these blogs to come about.

On Friday February 26th, 2010 the US Federal Government's Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) reviewed Kantara Initiative's latest submission and granted it Provisional Approval as a Trust Framework Provider at Levels 1, 2 & non-crypto Level 3 under the Open Identity Solutions for Open Government program.  The removal of the provisional status will hinge on the release by TFET of additional guidance for assessors concerning privacy and Kantara's adoption of this guidance.  

This is for me an extraordinary milestone, not only in my role of Chair of the Identity Assurance Work Group, but as an identity assurance activist altogether.  Kantara submitted its application for the US Federal Government adoption of the Identity Assurance Framework (IAF) in November of 2009. Prior to that date, the IAWG has been working very hard, collaborating with Kantara and the Assurance Review Board (who oversees the Kantara Initiative Identity Assurance Certification Program) to achieve this important goal (albeit still under provisional status).

The significance of this milestone is that it represents an important step towards fostering the adoption of identity-enabled Government services at known levels of assurance, relying on identity credentials issued and managed by non-Government parties (referred to as Credential Service Providers in the IAF). It will create the right conditions for the certification program to be adopted in real-life scenarios and for the industry to benefit from a proven, best-of-breed certification program that effectively enables interoperability and trust. This means that the IAF will not be just a "paper" standard, incarnated in a compendium of documents, but an actual technology-agnostic program that organizations can certify against.

With the adoption of risk-based models, identity federation can achieve Internet scale, and facilitate public access to online information at specific levels of assurance.  With adoption will also come economies of scale and further collaboration and interoperability across industries and Governments.

As someone who has been involved in identity management and identity assurance for quite some time, I cannot help but feel excited about the times I live in, and optimistic about what is to come.

I do anticipate and hope for more endorsements of the IAF in the near future by other organizations, and more importantly, the start of a paradigm shift in the way we all think about identity, both within the Enterprise and in a federated environment.  Ultimately, this path will allow the identerati to focus on the real end goal: delivering identity-enabled solutions and services with the level of trust and confidence that is appropriate for the transactions being performed.

But this is just a first step...

Identity Assurance, an everyday life issue (part 1 of 2)…

In this 2-part article, I hope to explain the importance of identity assurance in everyday life. I will first level set on terms and definitions in part 1, and then illustrate with real-life examples in part 2.

The notion of identity assurance is to establish, with a level of certainty, that the human being represented by a credential in an electronic transaction is in fact the alleged person. Whether you realize it or not, whenever you perform an electronic transaction, you are making some kind identity assurance tradeoff.

Identity assurance does not only apply to scenarios in the extranet in which consumers or users from one organization interact with systems in another. It also applies within the enterprise where you need to view identity lifecycle management holistically, as opposed to fragmented steps, such as provisioning, authentication, single sign-on, etc.; and how they contribute to creating and maintaining identity assurance.

My Personal History

In late 2006, I was first introduced to the issue of identity assurance as a trend in identity management.  It all started with the FFIEC's October 2005 guidance on Authentication in an Internet Banking Environment. It appeared on my radar as I was strategizing on the future of web access management and the product portfolio for which I was responsible. I was also wrestling with transaction assurance and access management 2.0. At the time I did not realize the profound impact that this concept would have on my career.

In late 2007, as I was managing a high-assurance digital identity service offering at a large global bank, I was introduced to Liberty Alliance Identity Assurance Expert Group. I joined the group as a co-chair which led to my current role as Chair of Kantara Initiative's Identity Assurance Work Group that is responsible for the Identity Assurance Framework. It works closely with the Kantara Initiative Identity Assurance Certification Program, which actually instantiates the framework in an actual program.  So, I guess you can say I have become an identity assurance activist.

It's All About Risk

In any electronic transaction where a human is represented, an implicit identity assurance tradeoff is made. A human may be represented in a transaction by providing a user name, email address, or simply by checking off a box accepting certain terms and conditions. The question is whether we are aware of or comfortable with the tradeoff. In all instances, you and the party with whom you are transacting are agreeing that your identity can be representing in this way for this transaction, and accept the consequences of what might happen if something goes wrong (i.e. your credentials are spoofed or compromised, or you chose to share your credentials with somebody that acts on your behalf and does something wrong).

The higher the sensitivity of the transaction, the higher the confidence (i.e. assurance level) you would like to have.  Therefore, an identity assurance level (AL) should map to the risk level in any given transaction.

All identity assurance documentation that I have read or been involved with converge on four basic levels of assurance:

• Level 1: Little or no confidence
• Level 2: Some confidence
• Level 3: High confidence
• Level 4: Very high confidence

OMB Memorandum M-04-04 illustrates this rationale from the perspective of the US Government. It effectively explains the application of identity assurance to transactions, considering the impact of something going wrong, and also the expected frequency of its occurrence. Below is a table I borrowed from this document that focuses on authentication.

Advice:  Be aware of the sensitivity of a transaction. Think through the mechanism employed to mitigate risk and if it is sufficient enough to convey the appropriate level of confidence. Consider the intersection of identity assurance with your data and risk classification.

It's Not Just About Authentication

Another important realization, particuarly for me given my background as a product manager, was that identity assurance is not just how strongly you authenticate someone. A number of factors come into play. Moreover, identity assurance, like other facets of identity and access management (IAM), is a lifecycle process.   An identity lifecycle includes stages ranging from registration (initial creation, identity verification, credentialing) to contextual access control (authentication, risk and activity monitoring, stronger authentication), renewal and termination.

An IAM solution must account for the fact that identity assurance decays over time and that lifecycle processes, such as renewal or termination, are necessary to either preserve the assurance level or eliminate the risk of a compromised identity.

Even though this concept may seem obvious, traditional IAM deployments do not incorporate identity assurance as a guideline, and thus rely on a static notion of identity.

This approach towards risk and identity assurance allows end users and organizations to gain trust in relying on online channels to conduct sensitive and higher-value transactions.

In my next blog post, I plan to illustrate these concepts with some real-life examples. In the meantime, I look forward to your comments...

Identity Assurance in the Nationwide Health Information Network (NHIN)... a cross roads of sorts

On Thursday January 7, 2010 (last week), I had the privilege of representing Kantara Initiative, in my role as Chair of the Identity Assurance[1] Work Group (also proxying for the Healthcare Identity Assurance Work Group) as a panelist in the Nationwide Health Information Network (NHIN) Workgroup hearings.

NHIN focuses on the definition of standards, guidelines and specifications on both technology and legal areas to enable the secure exchange of health information over the Internet. The focus of last week's session was authentication.

It was a great experience for me, particularly given the significance that NHIN's efforts will have in the way healthcare services are provided in the US over the next few years. The session made it clear that we are reaching a convergence of various efforts in identity management, which have reached the maturity level needed to address very real and critical business problems, and that the time to execute has come. Many of these efforts have been evolving over many years thanks to extraordinary contributions and leadership in both private and public sectors. This realization conveyed a sense of purpose and responsibility that quite frankly was not evident to me until the session actually started. Yes, I realize that at times I get very existentialist.

The format NHIN adopted for the hearings was very effective. It started with a viewpoint from US Government panelists followed by two sets of private sector panelists (I was part of the last round).  My fellow panelists did a really good job of providing their viewpoints in a clear and focused manner, and engaging in a very productive and dynamic round of Q&A after each round. This format made the sessions more productive, covered a wide range of viewpoints, and also helped identify themes and synergies. I commend NHIN on this.

Transcripts of the entire session, including audio voice-over and written testimonies, are available online. Also, Kantara published my written testimony in their blog area.

In this blog post, I intend to provide my summation of the event, and speculate on its potential outcomes.

Salient points

1. Panelists discussed the definition of authentication and reached a common understanding. In the context of the panel, authentication consisted of three distinct processes:
   • Proofing or verifying an identity,
   • Issuing a credential to the individual once her identity was proofed, and
   • The real-time event of confirming the validity of the credential as a digital proxy of the individual during a digital transaction.
   GSA's David Temoshok clarified that this definition excluded authorization - the ability to determine the kind of operation or data the individual can access.
2. I believe that the various panelists, including myself, converged on the notion that different assurance levels, as defined by NIST SP 800-63, provided a proven and practical approach to addressing different transaction risk levels. They also agreed that there is not a "one size fits all" approach that can address the broad range of use cases in scope for electronic healthcare. The discussions centered around the need to classify transactions and applications based on the risk profile, and avoiding the polarization on the highest assurance level for most use cases since it may be excessive and overkill.
3. Some recommended to NHIN existing frameworks that have been in use and proven for many years should be leveraged, rather than creating a brand-new, healthcare-centric framework for authentication. Leveraging existing Government programs and partnering with private sector players will help NHIN reach its goals in a more scalable and faster manner. NIH's Peter Alterman recommended that NHIN avoiding creating a healthcare-specific framework, highlighting the benefits of adopting cross-industry, best-of-breed standards.
4. There were great discussions on how to pragmatically reach the adoption rate required for the programs that HHS is driving forward. I particularly enjoyed the perspective provided by David McCallie, from Cerner Corporation; specifically, the statistics that show that in their network of 8,000 facilities, ~2,100 hospitals, 3,300 physician practices, 30,000 physicians, 500 ambulatory facilities, 600 home-health facilities, and 1,500 retail pharmacies; less than 30% of the systems use any form of SSO, and that provided the choice, less than 10% of the system adopt any sort of strong authentication technology. David also explained some of the challenges involved in achieving interoperability and federation across disparate system which were not designed to cross reference, and how much effort is truly involved in effectively mapping identities across different organizations.
5. Peter Alterman pointed out that Assurance Level 3 (AL3) is the minimum required to protect transactions that may expose personally identifiable information (PII), according to the Privacy Act. Later, Anakam's J Brent Williams talked about the ability to provide AL3 solutions that can scale both in terms convenience and cost, which can reach high levels of adoption, and are already in use at some large Government internet facing services. SAFE BioPharma's Mollie Shield-Uehling, made good points on the use of antecedent identity proofing as a scalable approach to AL3 remote identity proofing, based on SAFE's experience in the pharmaceutical community. My viewpoint on this topic was that AL3 should be demystified from being unaffordable and overkill, to being more attainable nowadays, particularly with remote identity proofing options, as well as evolving options for two-factor authentication options that could leverage mobile phones as authentication devices.
6. Brent raised two very good points that are worth mentioning:
• There are scenarios in which being able to provide identity proofing at a specific level of assurance level, but not necessarily having to issue a credential at that level or at all, will be beneficial, especially in cases in which a patient is granting permission to a physician to access her own electronic health record.
• PKI and SAML based authentication should not be viewed as orthogonal or in isolation in the context of identity federation and assurance levels. They are different ways to conduct and carry an authentication event, but in practice, they are techniques for conveying an authentication token. The real challenge in federating comes after the token is consumed, and particularly how the identity is actually "enrolled" in the target application (relying party).

My thoughts about the outcome

This was a worthwhile session with valuable insights and a broad range of important perspectives that rarely get discussed in a single sweep. I am very optimistic about the direction that NHIN could take in the aftermath of this event, and my read on some of the deliberations by the NHIN work group following the hearing fuels that optimism. My hope is that we do in fact see the convergence of approaches in healthcare that will allow for a faster pace of evolution and adoption, rather than a separate, healthcare-specific approach to authentication that may prove too ambitious and demand much longer timelines.

Here are my speculations on what may come out of this:

• NHIN will not reinvent the wheel in the area of authentication, but rather provide guidelines that leverage existing programs, such as the Federal Government's Identity, Credential, and Access Management (ICAM). This direction will help NHIN to increase adoption and use of digital credentials at various levels of assurance, by partnering with both the government and the private sector, thus removing barriers to entry and immediately tapping into established networks and communities that already have large numbers of credentials issued. It will allow the programs to hit Internet-level scale much faster.
• NHIN will focus on mapping various use cases and transactions to specific risk levels, equating them to assurance levels. It will also provide specific guidelines that will foster the development and rollout of digital solutions that leverage identity assurance within healthcare. These guidelines will lay a foundation for interoperability and risk-based models for these solutions.
• NHIN will define minimum assurance level requirements for its most critical use cases. For instance, NHIN may require that physicians obtain at least one AL3 credential that complies with an accepted identity assurance framework to be able to digitalize common transactions. It may focus on scenarios in which a credential may need to be upgraded from one assurance level to the next.
• NHIN will define acceptable models for performing identity proofing conforming to assurance levels for its most common actors. The idea here will be to clearly define options available to a physician for getting their identity proofed prior to obtaining credentials; likewise, to define acceptable models for how patients will get identity proofed [and credentialed], whether it is a responsibility that can be delegated to the patient's physician or some other stakeholder in the use case.
• Several requirements that NHIN will define for authentication will help advance and evolve existing identity assurance programs both in the government and private sector, as there will be new services or more granular scenarios that will require special handling. Having said this, I predict that these requirements will not be specific to healthcare. Instead, they will have applicability on other industries. A good example will be the need to separate identity proofing from credentialing as consumable rather than encapsulated services.

I would love to hear your comments and feedback.

---

[1] Identity assurance, in an online context, is the ability for a party to determine, with some level of certainty, that an electronic credential representing an entity - whether a human or a machine, with which it interacts to effect a transaction, can be trusted to actually belong to the entity.  In the case the entity is a person, identity assurance is the level at which the credential being presented can be trusted to be a proxy for the individual to whom it was issued and not someone else.