Executive Summary

1. Executive Summary

The United States Federal Trade Commission (FTC) defines identity theft as 'a fraud that is committed or attempted, using a person’s identifying information without authority'. This broad definition came out of 1998 legislation designed to provide consumer protections against the fraudulent use of personal information in any form .

The definition includes all types of crime in which someone, without authorization, obtains, transfers, or uses another person's personal data in some way that involves fraud or deception. Identity theft is often differentiated from identity fraud. Identity theft may be committed for various purposes (e.g., fraud, terrorism), but involves use of another real person’s identity. On the contrary identity fraud may involve use of wholly fictitious identity or another’s real identity for fraud scheme. Note that as an individual possesses various identities, there are also several kinds of identity theft including medical identity theft, corporate identity theft etc. Thus different types of theft can correspond to different severities of the consequence of the theft.

A federated identity management system can safeguard a consumer’s digital identity against identity theft without jeopardizing the usability advantage. Additionally, a federated identity management system can provide mechanisms to secure the identity from inadvertent disclosure or usage within the federation. As adversaries adapt their strategies to circumvent security measures, identity management solutions must provide robust and flexible responsiveness in order to withstand the dynamic nature of the threats. The scope of this document is to provide some technical suggestions and guidance to prevent identity theft in a federated identity management system.