Liberty Alliance looks to boost secure authentication

Computerworld - The Liberty Alliance Project, a global consortium of companies working on federated identity management standards, yesterday announced the creation of a group to focus on developing open specifications for interoperable strong authentication.
Liberty's new Strong Authentication Expert Group (SAEG) includes organizations such as American Express Co., the U.S. Department of Defense's Defense Manpower Data Center, the Financial Services Technology Consortium (FSTC), Oracle Corp. and VeriSign Inc.
The new group has been created to speed the development of standards for strong authentication in a federated identity model, said Roger Sullivan, a Liberty board member who is also a vice president of business development at Oracle.
"Identity federation has begun to really establish some traction in the marketplace," Sullivan said. As a result, there's a growing need for a standard definition of strong authentication, what it means, when it should be used, what forms of authentications can be used and what business use cases exist for different types of strong authentication, he said.
"We are focused on the federation marketplace, but certainly the principles of what we are discussing can be applied" in other environments as well, he said.
Identity federation allows users to log in to applications and services across multiple domains and distributed, heterogeneous networks using a single set of identity and authentication information. Once logged in to one system, they do not need to log in again.
Over the next few months, Liberty's SAEG will work on developing an Identity Strong Authentication Framework to enable different types of strong authentication technologies such as smart cards, tokens and biometrics that can work across organizations, networks and vertical market segments. The first draft of the framework is expected to be released in mid-2006.
The creation of the new group comes at a time of heightened interest in strong authentication methods largely driven by fears of online fraud and identity theft.
Such concerns recently prompted the Federal Financial Institutions Examination Council to release new guidelines calling on banks to upgrade current single-factor authentication processes -- typically based on usernames and passwords -- with stronger forms of authentication.
Though the Liberty Group's effort is targeted specifically at federated identity networks, it also is relevant to the banking sector, said Jim Salters, director of technology development and business initiatives at the FSTC.
The FSTC, whose members include most major financial institutions in the U.S., has for the past several months been working on a separate initiative to define guidelines and standards for better mutual authentication between retail bankers and their customers.
The blueprint formutual authentication is being developed by a 25-member FSTC group -- which includes eight of the top 10 banks in the country -- and is designed to make it easier for financial institutions to deploy strong authentication technologies and for consumers to adopt them, Salters said.
"In a nutshell, it is about getting financial institutions together to discuss the commonalities that need to be in place for deploying stronger authentication," Salters said. "The key driver is how do we retain some of the commonalities that are in place today [across the retail banking sector] so that we can prevent customers from getting confused?
"It is also about articulating to vendors what the requirements for the financial industry are as far as interoperability and [technology] features," he said.