Another way forward might be to dispense with the “card” and just focus on the chip and interfaces, as has been done with this Korean product, which looks like a USB key and simply contains a chip (in this case, for payments) with a contactless interface for use at physical point-of-service and a USB interface for online use. It’s certainly tempting to try to bring physical and virtual identity together in this way. If digital identity is implemented in some sort of smart card, then connecting the smart card to a computer becomes an issue. But as the experience of “chip and PIN” payment cards has taught us in the U.K., asking people to enter a PIN (or a fingerprint, or anything else) into an untrusted device (ie, a POS terminal or a PC) is an invitation to trouble. So it’s not clear at all whether this kind of implementation would provide additional security or merely the simulation of security: you would to enter the PIN directly on-card to make it worthwhile, in which case you’d surely be thinking (as I do all the time) “why can’t I just use my phone?”. If we used a PKI application on the phone — accessing SIM-based cryptography — then we could bypass all of the insecurity of the PC world.
Now, this is hardly a new idea. There have been several pilots and trials — involving major operators — implementing this kind of architecture and connecting the phone to the PC by Bluetooth or WiFi. But I think this shows another area where NFC (sorry to keep going on about it) will be really revolutionary.
On the whole, there’s more chance of making the phone the “standard” tamper-resistant environment rather than a special purpose piece of hardware, simply because everyone has one already and it’s very clever. But it might be a worthwhile strategy to use the something like one of these contactless keys as an interim step to help to develop the ecosystem.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]