The Upcoming Identity Apocalypse

How’s that for a catchy title? Really it should read “the upcoming apocalypse for identity professionals”. Focusing on federated identity has made clear what happens when “bring your own identity” becomes the norm. There isn’t a place for identity management experts at every organization. We’re quite far from that, but it’s worth thinking about.

The first time I thought about “bring your own identity”, I found it silly. Who would want to be in a business like an IdP? Who would trust the people who would be in that business? The answer to the first question is easy. There is a long and growing list of identity providers, google and facebook most notably. But these identities are not made of the stuff that security conscious organizations want. Anyone can open a google account. Anyone with an email account can open a facebook account. No one wants just anyone to have access to their resources and services. The identity proofing just isn’t strong enough; these providers fail to answer the second question positively. But it’s easy to see how a whole crop of strongly verified identities from trusted sources could make their way into the market. It’s likely that banks, governments and large corporations will end up in this business. Why? Governments would do it for their own reasons; they have a lot of call to have electronic IDs for their citizens to do their own business. BankID in Sweden is a perfect example of this. For places where the government won’t or can’t do it, I envision banks doing it. Why? Loyalty is why. For a whole generation that largely doesn’t even have bank accounts and for whom switching cell phone providers is an everyday thing, the idea of having an anchor to a bank will seem absurd. But if that bank is their ID, the ID they use for daily business with their various businesses they have contracts with, then that would be a whole different matter. As predictions of a more mobile, fluid, skilled workforce are growing stronger, this idea carries more weight. Just picture Jane looking at some great balance transfer offer from Bank of America and wondering if she should switch over from Chase to take advantage. If she uses her Chase ID to access all her applications at the three active contracts she has today, then she may think twice. Does she really want to make them reprovision her access? What if there’s a mistake in the process? How long did it take the first time; does she want to wait that time again?

There is also good in this for the employers. I had a long conversation with a major pharma in NYC about how they have to go through hell today to provision their tokens for two factor access. Now imagine a completely non-centralized workforce (if you have to, this is here for many today). You want to take on a new contractor for a project. You want to create their accounts, but now you need to do the identity proofing. Where do you send them? Do you fly them to the main office? Is there anyone in your HR group even sitting at that office? Do you send them to the HR company you’ve outsourced to? Do you fly to meet them? The problems pile up quick. If you take their credential from somewhere like a bank that already has done identity proofing and has a large, robust network that is primed for doing just that, then maybe you’re a lot better off. After all, who do you trust more, the organization you’re going to send the contractor’s money to or the fresh out of college admin sitting at the desk in the random office you send this contractor to who likely doesn’t even have a passport much less have the ability to spot a fake passport. “But what if they open a bank account, give you that ID, use it to get in, then run a script to suck out all of your data and just disappear with it to sell to the highest bidder?!?” Fair question, but what’s to stop someone from doing all of that today? To open a fake bank account they would need proof of ID good enough to fool the bank. Unless you happen to have the resources of the NSA or FBI, you’re likely to be fooled by that, too. So you hire this hacker the traditional way and they do the same thing. Not only is the bank less likely to be fooled, but I’m sure someone could come up with a score of some kind for how trusted the ID is using real terms like how long the bank account has been open, how strong the proof of ID was when it was opened, how many other times it’s been used for trusted transactions, etc. Having the data and the impetus to make identity scores like that are just one of many things there IdPs could do to add value to the employers.

Finally we come back to the organization doing the hiring and we see that they don’t have many identities being managed on premise at all in the “bring your own identity” world. No identities means no identity professionals, either. Of course, there will be a swell of positions for these folks at the IdP organizations, but not as many spots as there were in the clients. So the music has started and there are only so many chairs. Luckily, nothing is ever so stark. It’s very likely there will be a swing from cloud and outsourced models back to on premise in some way at some point. Of course, you can have on premise services with federated “bring your own identity” style systems as well. But I’d never say anything will be so complete that it will see things completely go away. Things that work tend to stick around and evolve rather than disappear. There is also likely to be competition for the spots as a trusted IdP. That will mean more call for identity professionals who can add value to the offerings these organizations offer as an IdP. The cell phone companies will want in the game, but won’t have the same gravitas as banks. How will they compete? I’m sure there are identity professionals that could make them more competitive. In one of my favorite movies, Mindwalk, the poetic character muses that to people in the middle ages “judgment day was the ultimate day off, not the ultimate off day”. I think this apocalypse could be similar to that. There will be less people left after it, but the ones who are left will be able to make the kind of strong, flexible systems they have always wanted.

Federated identity graphic (SAML, OpenID, WS-*, more…)

I’ve got an idea in my head I can’t shake. I’d like to make a picture that will display as simply as possibly the whole landscape of “federation”. Right away, it runs into problems because that world does not adequately capture the space anymore. The term federated identity seems better. Every major identity project I’ve come upon in the last 6 months has had a “federation” component. Some are looking to ease bringing in new users via M&A. Some are thinking about people visiting their public websites. The only thing they all seem to have in common is they are all very confused about their options. The confusion is not surprising. There are so many options. Many of the Microsoft centered clients that Quest sees on a regular basis are thinking about ADFS and Geneva (most still call the whole Microsoft next generation federated identity Geneva even thought they are aware it has it’s new official set of names). Everyone is talking about SAML and many about OpenID. So my thought was to make a picture to use as a discussion tool. Love to get thoughts here or at @jonathansander. My first, rough attempt is here: