A User Centric Model for Online Identity and Access Management

The problem today is that users are expected to remember multiple user names and passwords for different domains when accessing the Internet. Identity management solutions seek to solve this problem by creating a digital identity that is exchangeable across organisational boundaries. This is done through the setup of collaboration agreements between multiple domains, thus users can easily switch across domains without having to repeatedly sign-on. However, this technology is accompanied by the threat of user identity and personal information being ‘stolen’. Criminals make use of fake or ‘spoofed’ websites as well as social engineering techniques to gain illegal access to a user’s information. This problem has been catapulted to the fore by the statement that phishing has increased by 8000% over the period January 2005 to September 2006 (APACS, 2007). Thus, the need for user protection from online threats has drastically increased. This paper examines two processes to protect user login information. Firstly, user’s information must be protected at the time of sign-on, and secondly, a simple method for the identification of the website is required by the user. This paper looks at these processes of identifying and verifying user information followed by how the user can verify the website at sign-on. The roles of identity and access management are defined within the context of single sign-on. Three different models for identity management are analysed, namely the Microsoft .NET Passport, Liberty Alliance Federated Identity for Single Sign-on and the Mozilla TrustBar for website authentication. A new model for the definitive protection of the user in the online environment is proposed based on the evaluation of these three existing models.