Research & Education (R&E) Identity Federations have traditionally been about authenticating an individual. That has worked for R&E federations for nearly two decades and put R&E ahead in efficiently offering a critical service within the R&E sector. But what if these federations could do more? Enter in the digital wallet.
The Role of Federations
Current federation models rarely offer an individual the ability to choose what attributes are shared when they start a sign-in process. In some cases, the most critical piece of information is the individual’s affiliation, not their personal information. In all cases, the service (aka, the Relying Party) consuming the information knows it can trust what it receives because it is sourced from the institution, not self-asserted by the individual.
R&E federations formed out of a desire to protect an individual’s privacy and increase efficiency. Federations provide a mechanism that allows a model more refined than “all or nothing” when it comes to releasing an individual’s personal information. Details about an individual are broken up into discrete attributes that include pseudonymous identifiers, affiliation information, preferred pronouns, and more. When participating in a federation, the institution that houses all those details indicates in their federation metadata what attributes they are willing to share, and relying parties indicate what attributes they’re going to ask for. Both parties—the institution and the relying party—shared that information with a trusted third party, the federation, so that they could functionally have agreements with hundreds of partners at a time. It was technology far ahead of its time.
Bringing Wallets to the Table
The technology that enables R&E federations was groundbreaking, but technological evolution never stops. New and improved standards and applications are constantly being developed to meet the changing needs of the world. Decades after R&E federations started to form, the world has changed significantly to include strict data privacy regulations (e.g., GDPR, CCPA). Sectors outside of R&E are exploring ways to engage directly with individuals while still receiving verified information about them. Standards and technologies are being developed that encompass the needs of everyone on the web. It’s a very different environment, and people have much more nuanced expectations of their online experience and privacy.
Digital wallets are at the heart of the changing landscape. They offer a promise of allowing institutions in any sector to add relevant credentials to a wallet that is ultimately under the control of the individual. From academic affiliation to driver’s license data, a digital wallet promises to provide a secure, privacy-preserving mechanism for storing credentials that surpasses anything available today.
The European Union is leading the way in its DC4EU project that will see credentials and wallets exist in a way that is required to be interoperable from one country to the next. In the U.S., these efforts are being driven more by big tech companies than by governments, though many states are exploring options to support mobile driver’s licenses.
If institutions offer credentials in a digital wallet and relying parties can engage directly with the individual to request data, where does that leave the federation? is their role as a trusted third party that handles everyone’s metadata still relevant?
It’s About Experience
The technologies may be different behind digital wallets and R&E federations, but the desire to efficiently and securely share attributes is the same. As new sectors partner with academic institutions on things like microcredentials, there are going to be questions about best practices and ignorance of pitfalls that the R&E federation community has already had to contend with. R&E federations have an opportunity to collaborate with these new partnerships, and they should.
Of course, R&E Federations are often not well-funded, and focusing on operational services as they have existed for so long is easier than pushing ahead with new models. No one wants to be in a position where they have to support old and new platforms with the same overburdened staff. And yet, this is an opportunity to make an argument for an increase in funding (e.g., government grants and incubation efforts) that will allow R&E federations the resources they need to pivot and offer services that will be more relevant than the authentication services they offer today.
Wrap Up
I don’t think “what if federations could do more” is actually the correct question. What if R&E federations don’t do more? Will they remain relevant? Yes, but it will be in a very small, almost boutique fashion for extremely narrow use cases. Large-scale, authentication-focused federations become less relevant over time as individuals control their credentials.
My message to R&E federation operators: Stop worrying about being good at authentication. Focus on encouraging the use of strong authentication (i.e., Webauthn). Take the time to form partnerships with institutions both within your unusual remit and in industry and figure out the wallet world. It won’t be easy, but it will be rewarding.