What is Federated Identity Management?
Federated Identity Management, or FIM, occurs when two or more trusted domains allow their users to use the same digital identity to access applications across domains. This will enable users to move between multiple sites securely.
Why Is Federated Identity Management Important?
Users have dozens and dozens of accounts spread across professional, personal, and public services. Accordingly, they also have dozens of separate digital identities used to authenticate them across these services. That’s a problem from both user experience and security perspectives:
- Users notoriously have a hard time remembering passwords, usernames, PINs and so on. While requiring unique credentials is an obvious security step, users tend to forget passwords or express frustration when they have to create a new account for a new service.
- Following that poor user experience, many users simply use easy-to-remember passwords or reuse passwords across multiple sites, which means that it’s much easier for their credentials to be compromised and, in turn, compromise various platforms.
A federated identity attempts to solve this problem by securely using a single user across multiple domains. Federation is the practice of “federating” (or connecting) different authentication systems through a set of agreements and standards across multiple platforms so that users can provide one set of credentials to access numerous other accounts.
To facilitate this kind of interoperability, authentication systems use FIM solutions that provide a way for these platforms to share a common identity authentication language.
To create a secure and effective system that can be shared across platforms, designers often adhere to what is known as the “Seven Laws of Identity.” Created by Microsoft Chief Identity Officer Kim Cameron in 2005, these laws were conceived to refocus authentication as a user-focused endeavor while creating a “metasystem” or identity layer that helps control, authenticate and protect digital authentication and verification information.
The seven laws are the following:
- User Control and Consent: Any system must put the user in control of their digital identity, including how they are used and how information is released. Additionally, the system must protect the user against deception and identity theft.
- Minimal Disclosure for a Constrained Use: The only information collected will be the minimum needed for the purposes of authentication or authorization. Likewise, any system that collects information can deter attacks if it adheres to minimal data principles.
- Justifiable Parties: An access solution makes the user aware of requesting information and policies about data use.
- Directed Identity: A system must support Omnidirectional identification for public spaces and unidirectional identification over private connections, like Bluetooth.
- Pluralism of Operators and Technologies: An overarching system must operate with multiple technologies.
- Human Integration: An identity metasystem should put human users at the forefront with unambiguous human/machine communication that protects against attack or theft.
- Consistent Experience Across Contexts: The user experience must be consistent and straightforward through multiple operators.
A federated system would therefore attempt to follow these rules. For example, the ability to use your Google account to log into a mobile phone application relies on several of these rules just to authenticate a user.
Federated Identity and Single-Sign-On
FIM sounds similar to other management approaches, most readily Single Sign-On (SSO). These technologies function, on the surface, in the same way in that they seemingly support a more straightforward way to consolidate authentication and verification. There are, however, differences, the most significant of which is the scope of application.
SSO functions within an organization. That is, SSO can support IAM across systems, resources or devices within a single system. Within the authentication system of a given infrastructure, SSO can streamline authentication in a single set of credentials.
FIM, however, creates a standard by which diverse applications across different organizations can support single-identity authentication. FIM uses common protocols and languages to build a trusted management service between these organizations. Some of the standard protocols that you will see used to create FIM systems are:
- Security Assertion Markup Language (SAML), which allows providers to exchange authorization credentials between different service or application providers.
- OAuth, a delegation framework used for authorization between different organizations fielding applications through HTTPS or APIs.
- OpenID Connect, an authentication protocol that extends OAuth by adding an identity later for more control over digital identity and authentication.
Costs and Benefits of Federated Identity Management
Unsurprisingly, FIM has several advantages and disadvantages associated with its implementation.
Some of the benefits include the following:
- Streamline Authentication: Perhaps the most obvious benefit is that you make it easier for users to log in to your system. If you’re running an online app, this can break down resistance from potential users who might not want to create yet another account for another app.
- Security: With FIM, you are leveraging an identity layer to centralize security for your authentication system. In practice, this means that you can rely on another secure provider (like Google or Facebook) to verify identities that you know you can trust. Additionally, you potentially reduce the drive for users to use simple or redundant passwords that could compromise your systems.
- Reduce Administrative Overhead and Cost: If you trust another provider like Google to store and verify information, you remove the need to manage your own systems or keep user credentials.
While these are incredible advantages, it’s also essential to understand some of the challenges as well:
- Trusting Other Identity Platforms: In an FIM system, you must trust that when a user provides credentials from another participating organization, you have to trust that the member has proper security, policies and protocols in place. If not, they could introduce vulnerabilities that you can’t detect until it is too late.
- Implementing Different Rules: Being part of an FIM system also means meeting minimum requirements regarding identity management and security. If you aren’t prepared for that, it could be a costly endeavor.
- Forcing Trust With Other Organizations: Speaking of trust. If you are in an FIM system, then there are expectations beyond the bare minimum of protocols. If you have a history of neglecting user privacy, not protecting data, or other unpopular security and customer approaches, you might find it hard to partner with others.
Use Cases for Federated Identity Management
One of the clearest use cases for FIM is Google services. Not only does Google use federated identity to support authentication across other sites, but it also offers ways for enterprise users to build cloud services that can also enter into FIM partnerships with other organizations. This way, if you use Google Cloud for professional reasons, you can federate identity to make access easier for outside users.
Federated identity is also used in several other contexts. For example, a university with wireless Internet access can use FIM to offer Wi-Fi access not only on campus but also with other partner institutions. This way, students and faculty can enjoy Wi-Fi at any partner location with a single set of credentials.
In all cases, you’ll see FIM used in three major cases:
- Inbound Federation: Allows you to provide federated access to your application or resources to individuals outside your organization.
- Outbound Federation: Allows you to provide access to external applications to the identities that you manage within your organization.
- Bring Your Own Identity: Allows users to access resources or applications across multiple organizations using a single set of credentials supplied and stored by an Identity Provider.
1Kosmos BlockID: Why Federated Identity Management Critical for Modern Authentication
Modern authentication is improving incrementally, but that isn’t enough. With the severity and frequency of breaches occurring daily, it’s more important than ever to bring a robust and secure authentication method that can radically change how we log in to systems, devices and user accounts.
BlockID innovated authentication by focusing on two aspects of digital identity:
- Passwordless authentication with decentralized identities and
- Streamlined user experience
Federated identities and SSO are essential steps in the path to strong authentication, but it isn’t enough. That’s why BlockID uses secure blockchain technology to create decentralized identities that protect user identities, provide the benefits of SSO and FIM and give power and control back to the user—some of the core tenets of the rules we articulated above.
Alongside this approach to identity verification, 1Kosmos also includes several critical features:
- KYC compliance: BlockID Verify is KYC compliant to support eKYC verification that meets the demands of the financial industry.
- Strong compliance adherence: BlockID meets NIST 800 63-3 for Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2).
- Incorruptible Blockchain Technology: Store user data in protected blockchains with simple and secure API integration for your apps and IT infrastructure.
- Zero-trust security: BlockID is a cornerstone for a zero-trust framework, so you can ensure user authentication happens at every potential access point.
- Liveness Tests: BlockID includes liveness tests to improve verification and minimize potential fraud. With these tests, our application can prove that the user is physically present at the point of authentication.
If you’re ready to learn about BlockID and how it supports streamlined authentication, read about how you must Go Beyond Passwordless Solutions. Also, make sure you sign up for the 1Kosmos email newsletter for updates on products and events.