Mountain View, Ca. - The next phase of open identity includes a mesh of third-parties and mobile device providers to supply validated snippets of user data to support stronger consumer authentication, according to a plan proposed by Google.

The search giant is aiming to define a loosely-coupled legion of "providers" to contribute user attributes - or pieces of data they know about users - such as street address, age and/or mobile phone number, that can be used to more accurately validate that user's identity.

Google initially is working with mobile provider Verizon, attribute exchange service ID/Dataweb, and trust framework provider Open Identity Exchange (OIX). The group plans to give a demonstration of what Google calls "Street Identity" at the OIX Attribute Exchange Summit this week (Nov. 9-10) in Washington D.C. (A self-directed demo is online.)

The stronger authentication also benefits the government's National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, which is a model for an identity network to be built by the private sector.

The upshot is that consumer web sites, government agencies and enterprises that want to accept open identities issued by the likes of Google, Facebook or Twitter would have more assurance the person behind that identity is actually who they say they are.

The entire model is built using current identity standards, including OpenID Connect, to aggregate and distribute attributes, and OAuth 2.0 to secure their exchange.

"Google's [efforts] recognize what is happening now, which is identities are being deconstructured into attributes," says Don Thibeau, chairman of OIX.  "[These vendors] have a notion of an attribute transaction network with more granularity, more monetization and more precision."

Google and others believe that by aggregating a user's data from various sources that identities online will map more accurately to real-world identities, something OpenID Connect in its current form cannot do.

Today users can create identities on sites like Google and Facebook without having to validate any of their information; therefore, those IDs are not well-suited for transactions that might involve sensitive data or financial exchanges.

That reality, therefore, limits the number of sites that accept open identities, which in turn forces users to maintain multiple passwords and user names.

Google's model calls for creating attribute providers, say a mobile provider that would supply the user's mobile phone number or a utility that would contribute a known street address for the user.

There would be no restrictions, however, on businesses or organizations eligible to become an attribute provider.

Today, consumer ID based on OpenID includes an entity that supplies the identity, called an Identity Provider (IdP - i.e. Google and Facebook), and an entity wanting to validate a user's identity, called a Relying Party (RP - the Web site where the user entered their OpenID).

Google is proposing the inclusion in that mix of a third leg called an Attribute Provider (AP) and defining the rules, policies and trust frameworks that would govern those providers. The three entities - IdP, RP and AP - would exchange a collection of security tokens to request and receive the user's data.

A set of application programming interfaces (APIs) would provide the connecting tissue.

Google emphasizes that the user would first consent to the sharing of their personal information. Most likely the Identity Provider would add a consent form, according to Google. The consent would be built under a model called User Managed Access (UMA), which is built on OAuth.

In addition, a financial incentive needs to be created for Attribute Providers to share the valuable data they hold.

"Eighty percent [of the technology side] is already built, we need relying parties and attribute providers," said Eric Sachs, a product manager in Google's security and CIO department.

Sachs says Street Identity solves three problems, it maps to real-world identities which OpenID does not do, it provides a financial incentive for mobile operators and others to come on-board (they collect fees for providing data), and the government can stay out of the electronic ID business (it gets needed data via attribute providers).

"Street identity means the relying party allows you to log-in with your Google account and with your verified address," says Sachs.

That process would provide far more security and the expectation that far more Web sites will become relying parties and far more users will tap into OpenID technology.

Google has been aggressive lately in terms of its OpenID adoption and development. In July, Google introduced AccountChooser, a simple, open standard log-in interface that Google eventually donated to the OpenID Foundation.

Web sites looking to accept OpenIDs could build the AccountChooser UI into their sites. The interface gives end-users a common log-in look-and-feel across the Web.



* Required Fields