As enterprises move more services online, many have given customers the option to use third-party credentials to access their services. This practice, known as identity federation, saves businesses time and resources in managing identities, and prevents customers from having to create and manage a new account. For example, you can use your social media account login to access your fitness tracker account. In effect, the social media company is vouching that the same person is logging in each time they access the tracker website.
Identity brokers help facilitate this process by managing the integration between organizations and credential providers. Organizations connect once to the identity broker and accept many types of credentials, rather than managing each integration separately. However, this process presents security concerns for users as these connections can create the opportunity for an exposure of personal information, or for the broker to track a user’s online activity.
The Privacy-Enhanced Identity Federation project will examine how privacy-enhancing technologies, leveraging market-dominant standards, can be integrated into identity federation solutions to meet the privacy objectives of users and organizations. This project is a joint effort between the NCCoE and the National Strategy for Trusted Identities in Cyberspace National Program Office (NSTIC NPO).
Ultimately, this project will result in a NIST Cybersecurity Practice Guide, a publicly available description of the practical steps needed to implement a cybersecurity reference design.
If you have any questions or suggestions, please email the project team at firstname.lastname@example.org.