Searching for the second factor (The Identity OS)

That should be a catchy title for this post!

I have been thinking lately about multi-factor authentication. Two factor authentication (a requirement for many critical systems) is frequently described as ’something you know’ and ’something you have’. On the Internet most applications apply single factor authentication in the form of username/password.

There are some examples of two factor authentication out there though. Banks have issues their customers with hardware tokens, while network operators use SIMs to access the network (in the SIM case the physical SIM is ’something you have’ while the PIN serves as ’something you know’).

All those second factors have one thing in common: it’s hardware dedicated to a limited set of applications on a ‘closed’ and proprietary platform. Wouldn’t it be great to have a single reusable platform for second factors?

This is where Microsoft Cardspace and Intel’s Identity Capable Platform come into the picture. I think both can be considered platforms for second factors, and both have different approaches. A second factor has to be ’something you have’, which can be interpreted as ’something that can’t be copied or stolen to some other place’. It basically implies that our customizable second factor platform is an environment where we can insert and remove credentials (the second factors), in a secure way.

• Cardspace qualifies as such an environment as it is able to add ‘Information Cards’ (second factor) and store/execute these securely. Cardspace also allows local user authentication through username/password (first factor) and in the future biometrics (third factor!). Microsoft were in an (obviously) unique position to do this the right way because they own the OS. A ‘normal’ application would be vulnerable to a large range of virus and malware threats, where an OS native application has more protections in place. Still, Cardspace is as secure as the operating system it is built in and time will tell if this is good enough to provide a second factor. It will definitely take some time to convince critical applications like online banking that Cardspace is trustworthy for multi-factor authentication.
• Intel’s ICP (and also ARM Trustzone) are hardware environments with a limited operating system that allow the inserting, executing and removing of credentials. These hardware platforms are able to do the same things as Cardspace but are implemented in silicon (therefore potentially more secure than Cardspace). These technologies rely on the security of hardware with a limited software functionality instead of the more general purpose operating system that is Windows.

In both cases the security of the whole credential life-cycle (protocols!) determines the level of trust people will have in the second factors provided by their platforms. Microsoft allows users to manually import their Information Card into the Cardspace Client, while the ICP is based on Liberty Alliance Advanced Client protocols.

This has lead me to believe that there should actually be an Identity OS, which is a set of functions that is just able to provide the right amount of identity related services (more on this in later posts). By keeping the functionality small, the risk of a vulnerability will be mitigated. This Identity OS could then be implemented either in silicon, on a USB dongle, an SD card or in the OS.

The Identity OS could solve interoperability issues with two-factor authentication and provide a uniform and extensible (mooooore factors) platform for identity management. Let me know what you think..