3rd party paper on the economics of Trusted Identity


The paper "Economic tussles in federated identity management", by Susan Landau and Tyler Moore, recently appeared in First Monday, Volume 17, Number 10 - 1 October 2012.  From the abstract:

Federated identity management (FIM) enables a user to authenticate once and access privileged information across disparate domains. FIM’s proponents, who see the technology as providing security and ease of use, include governments and leaders in the IT industry. Indeed, a cornerstone of the current U.S. government’s efforts to secure cyberspace is its “National Strategy for Trusted Identities in Cyberspace” (U.S. Department of Commerce, 2011). Yet adoption of federated identity management systems has been slow.F From disputes over liability assignment for authentication failures to concerns over privacy, there have been many explanations for the slow uptake of federated identity management systems. We believe the problem is embedded in stakeholder incentives. We present an economic perspective of stakeholder incentives that sheds light on why some applications have embraced FIM while others have struggled. To do so, we begin by briefly analyzing seven use cases of successful and unsuccessful FIM deployments. From this we identify four critical tussles that may arise between stakeholders when engineering a FIM system. We show how the successful deployments have resolved the tussles, whereas the unsuccessful deployments have not. We conclude by drawing insights on the prospects of future FIM deployments.


The paper list notable successes and failures of trusted identity programs. InCommom, Shibboleth, and SAML are noted as successes. The authors analyze what factors have contributed to this success:

In order for a federated identity management system to succeed, all parties in the system must gain. Otherwise at least one has no incentive to participate. A user has to gain through ease of use, access to more services, greater privacy, or improved security. A Service Provider has to gain by acquiring more user data (the Facebook model), in the ability to reach to larger markets, or by insulation from liability for failures (as happens in some instances of credit card usage). An Identity Provider must also gain from the system. The gain in control of user data and of the user authentication process are obvious benefits to the Identity Provider, but those gains must be offset by granting some benefits to the Service Provider and user.