[Dave Birch] With the U.K. newspapers focussing on ID cards again, now that the shortlist of the only suppliers who wanted to be on a shortlist has been announced, I wonder if it isn’t time to abandon even talking about ID cards, when the practical implementation of identity for the foreseeable future is going to be centred on mobile phones. Since mobile phones can do a great many things that cards cannot, they provide an obvious means to deliver some useful identity services to both individuals and to organisations. Examples might be simple, secure authentication for online services.


Forrester Research analyst Bill Nagel claimed that mobile authentication has taken hold in many countries, and that mobile signatures are a "logical extension… Nearly all of the banks and operators we spoke to said that the technology operates flawlessly and that the experiences of customers who use the system are very good," he said.

[From Mobile signatures given the thumbs up – WhatPC?]

This is an attractive vision. The idea of making the Internet more secure sounds promising at first, but it has many negatives as well. If we make the Internet more difficult to connect to and harder to use, we lose the creative dynamic around it. Therefore, it kind of makes sense to leave the Internet cheap, flexible and insecure and kick the security layer off the end of the Internet and into the phones. Phones start off from a more secure base, because they already have tamper-resistant hardware (ie, the SIM) in place and since this hardware is a general-purpose computer, there is plenty more it can do. This idea fits rather well with the identity-as-utility view that we have been putting forward for some time. The mobile phones works perfectly as the "identity gadget", the universal faucet that we will all use to turn identity on and off (emergency stop: bad analogy detected). We’re hardly the only people working along this line of thought.


From Marco, a great HP paper on Identity-Aware Devices, describing some PoC work HP did with Intel around the Liberty Alliance’s Advanced Client specifications.

[From ConnectID: Identity-Aware Devices]

In the HP paper, they talk about "identity-aware devices", which I rather like as a way of thinking about practical solutions. They point out that in order to function in a sophisticated environment (in this case, a federated identity environment) the identity-aware device needs some kind of trusted module that can function as an identity provider. This is exactly how I see the SIM: there’s no need to invent anything new, just use find a way to get the mobile operators and others to co-operate to implement the kind of ideas that we can all already see are the way forward.

I’ll be over at the EEMA conference in The Hague on June 12th, talking about mobile in the ENISA workshop, so if you fancy coming along I’ll see you there. The presentation that I will be delivering is called "Mobile phones and the identity utility" and it’s here…



    SlideShare | View | Upload your own

So if you have any suggestions for improving it, please let me know ASAP!

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights