This session by Nate Klingenstein.
Today’s Federated Identity Challenges:
- Scaling – especially cross-sector and cross national boundaries
- Getting the user experience right – not just in Higher Education – is going to be even harder than the challenges we face today.
- Protocol wars – new, powerful players in the area
- Levels of assurance and attribute support
- Reconcilation between consumer and enterprise identity – possibly the biggest challenge
‘The Cardiff Giant’ – a statue discovered in Cardiff (New York). Copied by P.T. Barnum (covertly) and toured. This all showed:
- Even a fake can be very popular
- Fake identites and indentity theft are widely recognized, growing problem
Identity is big business – e.g. Doubleclick (acquired by Google) – serving personalised advertising.
Universities house both applications and identities. They are the natural ‘home’ of much user data – e.g. Courses, titles, grades. Universities also host applications – but increasingly these may not be hosted locally. The important players in Academic Identity are:
- Applications (Commercial and other)
What do Governments want?
- Privacy laws and their enforcement vary wildly from country to country
- China and the EU offer useful (and possibly polar opposite) examples
- A situation that needs careful balancing if there will be meaningful enforcement
- We need recognition of the social importance of trust – some evidence that trust in financial markets drives economic properity?
What do Faculty want?
- Good learning resources and tools
- Students undivided attention (possible issue with using external tools e.g. social networks to deliver teaching material)
- Freely circulated intellectual property?
- Stronger intellectual property rights?
What do Commercial Applications want?
- A userbase to monetize
- page views, successful completion of login, high retention rates, lost of juicy personal details (hence reluctant to engage with federated access management)
- licensing fees
- Advertising is a nice plus
What do Other Applications want?
- They’re often not sure, and would like you to help them
- Happy to be out of the usr/pwd trap
- Varying degrees of control over the GUI and authentication process
- “Security” and “usability”, vaguely
- Identity services are critical for “cloud” computing
What do Users want?
- Studies by JISC, Yahoo!, Google and others show that to get users to use the services you offer:
- You need consistency, consistency, consistency
- Bifurcation is confusing, particularly if there’s an email address box or user/pass option (i.e. more than one option)
- Users have no idea what a domain is
- Even with coaching, outcomes from typing URL-based identity do not improve
- Buttons are best, but alternatives are okay
Users understand the difference between a professional account and a personal account, work app and personal app – and can generally select between them. Privacy and security are consistently rated as very important – especially in coutnries with weak privacy laws. However LSE study demonstrated – convenience often wins in practice anyway.
Consumer Identity Today
- Facebook Connect by far the most successful
- proprietary protocol, single identityt providers
- inducements for applications – lots of personal data for targeted ads
- Twitter comes in second, followed by also-rans
Facebook Connect – on Huffington Post, http://money.cnn.com (the latter only supports Facebook connect for commenting). Some interesting stats on various mechanism for logging into the Typepad blogging platform at http://blog.leahculver.com/2009/11/log-in-or-sign-up-with-openid.html
Convergence between Educational Identity and Consumer Identity – It’s already happening! How soon will your students ask for a ‘Facebook Connect’ login to your VLE?
The level of assurance gravitates towards the lowest common denominator – often basically an email address that doesn’t ‘bounce’. Social Networks include a large level of assurance, as you have lots of people ‘vouching’ for you (although questions about how much this is worth, it definitely isn’t worthless). Maybe ‘strongly vetted’ ID is not what Universities should try to provide. Instead we may want to focus on the attributes:
- Consumer identity world is rapidly realizing that attributes are key
- Need to solve problems like attribute aggregation
- Attribute plumbing from the campus to the consumer Identity Provider – Google is trying the business modle
If consumers opt for Facebook, perhaps this is an opportunity for Universities to stop worrying about the ‘discovery’ problem – even if we worry about the implications of Facebook managing this instead.
Preparing for those futures:
- Be protocol-agnostic
- OpenID support in the Shibboleth IdP is a good start
- Expectations and functionality are driven today by commerce and consumer identity
- Users unlikely to exert change
- Faculty will use the best tools available
- Commercial applications like money
- Discovery is the real control point – if you present a ‘Facebook Connect’ button at this point, users will click it
- No single right answer
- eduID or similarly branded login – this is contentious issue
- Some people want to stop buttons or dedicated discovery entirely
- Proactively contemplate partnerships with the other identity sources
Current course excellent – we are doing most of the right things – even if for the attributes and policies alone which is 9/10 the effort and value