ICF Steering Member Equifax Inc. announced this week that it has chosen Anakam, Inc. to provide the electronic authenticator for the Equifax I-Card. Anakam will implement its Anakam.TFA® Two Factor Authentication service, making the Equifax I-Card the first to have the maximum ease of use as well as the highest level of authentication security (Level 3) in the marketplace.
According to ICF board member Ron Carpinella, Equifax's Vice President of Identity Management, "This speaks to our efforts to provide strong authentication for the U.S. federal government via i-cards and the ICAM trust framework." The Information Card Foundation, together with the OpenID Foundation, has been instrumental in working with the U.S. GSA Identity, Credential, and Access Management (ICAM) Subcommittee to create a trust framework that enables U.S. citizens to use open identity credentials to access U.S. government websites.
The Anakam platform will be incorporated into the Equifax I-Card offering to provide on-going two-factor authentication without the need for distribution of smart cards and hard tokens to end users while still complying with the standards established around these devices. With Level 3 authentication, there is high confidence in the validity of the user's asserted identity as determined by U.S. Office of Management and Budget (OMB) guidelines and the technical recommendations of the National Institutes of Standards and Technologies (NIST).
On the ICF mailing list earlier this week, ICF member Markus Sabadello, a leader of several Information Card-related open source projects, announced the availability of CardGears, a hosted service for web sites wishing to issue Managed Information Cards.
As Mr. Sabadello points out, Managed Information Cards can be issued by any website, whether just to provide a simpler and more secure sign-in mechanism, or to expand their brand to becoming part of the user experience every time a card is used. This website issuing a managed card is authoritative for the data on it. Technically, this requires two components:
- A card issuing component. This produces and sends to the user a card file (in the .crd format) each time a new card is issued.
- A Security Token Service (STS). This is the component that provides the claim values (identity information) on a card, such as first name, last name, e-mail address, etc. The STS is invoked every time a user uses or previews their card.
Mr. Sabadello explains, “CardGears makes it as simple as possible to operate both of the above components. First, you can design, issue and modify cards by using the intuitive web interface, without any programming at all. Second, you can use various APIs to integrate the CardGears service with your own applications. And you can mix and match each of these two approaches as needed for your site.”
There are currently has four demo sites illustrating various aspects of Information Cards and CardGears:
Bethesda, MD, USA – The first iTrust Forum, held today at the National Institute of Health (NIH) headquarters in Bethesda, MD, featured a four-part session about the U.S. government’s Open Identity for Open Government Initiative. NIH is leading government adoption of this initiative through the NIH Federated Identity Service. NIH demonstrated the first production use of open identity technologies at the iTrust Forum by showing how the Federated Identity Service now accepts logins from several of the ten OpenID and Information Card identity providers who have announced participation in the initiative.
In a separate demonstration, Don Schmidt of Microsoft showed a prototype “multi-protocol selector” – software that will enable users to do both OpenID and Information Card registration/login to websites through one simple, safe, visual interface. This will make authentication at many different websites dramatically simpler for users while at the same time providing strong protection against the main source of phishing attacks.
ICF Executive Director Drummond Reed and OpenID Foundation Executive Director Don Thibeau presented the Open Identity Framework (OIF), a new open trust framework model being developed jointly by the ICF and OIDF to solve the problem of how third-party portable identity credentials such as OpenID and Information Cards can be trusted in very large deployments, such as across the entire U.S. population and all U.S. government websites.
Mountain View, CA – November 2, 2009 – Avoco Secure, a leading security, digital identity, and digital signature vendor based in the U.K., announced at the OpenID Summit today that it is releasing the first commercially available Information Card selector software that operates completely “in the cloud”. Called CloudCard, it is a standard Information Card selector implementation that requires no installation and works from any conventional browser on a desktop, laptop, or mobile device.
Susan Morrow, Product Manager for CloudCard, demonstrated today how it eliminates the need for local client software, which is one of the barriers to widespread adoption of the Information Card digital identity standard. CloudCard uses the standard IMI 1.0 Information Card format and protocol so it works immediately with any Information Card issuer. Websites that wish to accept Information Cards from CloudCard currently need to add some simple custom HTML code to their web page, but according to Ms. Morrow this step is easy compared to the hurdle of requiring users to install a desktop selector, and Avoco plans to standardize this special code so it can be used with any cloud selector.
Avoco will demonstrate CloudCard again tomorrow at the Internet Identity Workshop in Mountain View.
ICF Executive Director Drummond Reed just returned from a two-week trip to the EU. He shares the following observations:
My first stop was giving a keynote at the NordSec conference in Oslo, wonderfully organized by Dr. Audun Jøsang of the University of Oslo. The agenda was one of the richest of any conference in my recent memory; I found myself taking notes constantly on talks covering STORK, ID management based on mobile SIM cards, and privacy risks in Web 2.0, among other topics.
The day ended with a panel on “Global identity management – a threat or an opportunity for privacy?” I spoke strongly in favor of the opportunity Information Card technology offers for privacy protection, and how the U.S. government’s open identity solutions initiative is taking advantage of this. That initiative and the ICF/OIDF open trust frameworks project drew a great deal of interest among the largely EU-based audience—its potential for helping “raise the bar” on Internet privacy was one the main themes of the panel.
The ICF congratulates fun communications for winning a 2009 IDDY award in the Proof-Of-Concept category for their Webcard Loyalty program. Webcard Loyalty was one of the first seven Featured Card Projects that were announced by the ICF at RSA 2009 in April 2009.
At Digital ID World 2009, the Kantara Initiative awarded fun communiations one of six IDDY awards in recognition of its online service that uses Information Card technology to let anyone create their own customer loyalty system for the Internet using “virtual loyalty cards”. To quote the Kantara press release:
The application combines user-centric identity management and customer loyalty programs such as bonus points, coupon promotions and discounts on partner websites, into a single application. Retailers and portal operators can issue their own virtual loyalty cards that can serve as a reliable means of authentication and authorization. The portal can be adapted to meet individual requirements, and is suitable for issuing all types of virtual identification cards such as student ID cards, library cards and discount cards. More information is available by visiting http://www.fun.de and http://www.webcard-loyalty.com.
ICF Executive Director Drummond Reed and OpenID Foundation Executive Director Don Thibeau will present the foundation’s joint Open Trust Framework at the OASIS Identity Management 2009 conference tomorrow at the NIST headquarters in Gaithersburg, Maryland. The theme of the conference is Transparent Government: Risks, Rewards, and Repercussions.
The Open Trust Framework, summarized in the OIDF/ICF joint white paper Open Trust Frameworks for Open Government, is a mechanism that enables relying parties (the websites and services that accept open identity credentials such as OpenID or Information Cards from individuals) to verify that identity providers (the third parties providing such credentials on behalf of the individual) are certified to provide those credentials at the level of assurance (LOA) the relying party requires.
In the case of U.S. government, for example, there are four LOAs defined by NIST and the Office of Management and Budget (OMB), each with its own level of identity proofing, security, and privacy requirements. With the Open Trust Framework, U.S. government websites will be able to determine if a particular identity credential meeting the ICAM OpenID 2.0 profile or IMI Information Card 1.0 profile at a particular LOA was issued by an identity provider certified to meet the U.S. government requirements at that LOA.
Yahoo!, Paypal, Google, Equifax, AOL, Verisign, Acxiom, Citi, Privo, Wave Systems Pilot Open Identity For Open Government
-Government Embraces Innovative Technology to Support Citizen Participation-
(For more details about this release, please see our Open Identity for Open Government FAQ)
Washington, D.C. - September 9, 2009 - Ten industry leaders - Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems - announced today they will support the first pilot programs designed for the American public to engage in open government - government that is transparent, participatory, and collaborative. This open identity initiative is a key step in President Obama's memorandum to make it easy for individuals to register and participate in government websites - without having to create new usernames and passwords. Additionally, members of the public will be able to fully control how much or how little personal information they share with the government at all times.
These companies will act as digital identity providers using OpenID and Information Card technologies. The pilot programs are being conducted by the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS), and related agencies. The participating companies are being certified under non-discriminatory open trust frameworks developed under collaboration between the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) per the federal government Trust Framework Provider Adoption Process.
Washington D.C. - At the Open Government Identity Management Solutions Privacy Workshop held today in Washington D.C., Don Thibeau, Executive Director of the OpenID Foundation, and Drummond Reed, Executive Director of the Information Card Foundation, announced a joint white paper from both foundations. Entitled Open Trust Frameworks for Open Government, the paper explains the approach both foundations are taking to enable open, Internet-scale trust networks using OpenID and Information Cards.
"Open trust frameworks are the way to bridge open identity technologies like OpenID and Information Cards with the trust requirements of large communities such as the U.S. federal government," said Mr. Reed. "They are a practical solution to enabling government agency websites and applications to accept identities from non-governmental identity providers. This reduces friction and lowers costs while at the same time increasing security and privacy."
The focus of the workshop was the privacy implications of introducing open identity technologies to federal websites. Besides Mr. Reed, speakers on this topic included:
The Information Card Foundation has been working with the U.S. General Service Administration (GSA) and other Internet identity organizations on identity management solutions that will enable open government.
On Monday, August 10th, the GSA is hosting an all-day event in Washington, DC called the Open Government Identity Management Solutions Privacy Workshop. This public meeting will discuss the work done to date and solicit input from the privacy community and the public.
ICF Executive Director Drummond Reed and Certification Committee Chair Mary Ruddy will both be speaking at the event.
Agenda and registration details are available at:
Registration is on a first come, first served basis.