That whole trust thing

[Dave Birch] A survey from the not-entirely-disinterested American Bankers Association says that US consumers trust banks far more than anyone else (including the government) to look after their identity.  It’s certainly been discussed enough — the idea that banks might become identity brokers of some description — and it has always seemed to me that it’s not a crazy idea.  Further, some leading banks actually set up a consortium to do just this a few years ago.  That consortium, Identrus, has become IdenTrust.  If trust is the one intangible commodity banks possess that rises above anything non-bank rivals might have, and with digital certificates and digital signatures once again been seen as the general solution to the identity problem, then perhaps its day has come.

There’s another imperative.  Banks are under pressure to introduce "two factor authentication" (2FA) for online transactions and they’ve just spend a load of money on issuing a jolly hand device for storing keys and certificates: smart cards.  Now, the smart cards that the banks have issued will shortly have to upgraded to the higher-security version of "chip & PIN" cards.  These are called Dynamic Data Authentication (DDA) cards and they are already being rolled out in other countries (eg, France).  The interesting thing about them, from the digital ID perspective, is that they have cryptographic co-processors on board.  This means that they can support a digital signature application with minimal effort (this is how the American Express Blue cards did it).
So if the bank sends me a simple USB smart card reader so that I can log on with my chip and PIN card, that’s convenient.  But the bank could then store either more key pairs, or more certificates, on the smart card and charge other organisations (eg, the government, retailers) for using them.  This makes solving the phishing and fraud problem a line of business rather than a cost and, surely, that’s a way to get something done.  As in the chat room example discussed last week, the bank might be able to sell several certificates to the same person and it might also be able to sell chip and PIN cards to people for them to use purely for log on and not for payment at all.  Now that’s what I call a disruptive technology!