1. Get e-mail from British Gas asking for a meter reading (we still have dumb meters — more on this in a future post).
2. Read meter.
3. Click on link in e-mail to submit reading.
4. It asks for e-mail address and password, so enter e-mail address and then click on “forgot your password”.
5. It says I’m not registered, so then I have to go and register. I use the same password that I use for everything else.
6. But my password has to be between 8 and 16 characters (they take security seriously) so then I have to think of another one (which I am certain to forget again next time).
6. Then I can log in and give the reading.
7. But I get “We’re sorry but access to your online account is temporarily unavailable. Please try again in a few minutes.”
8. Next day get an e-mail from British Gas apologising for problems with online system. (This isn’t really anything to do with identity, but it was nice of them, so I thought I’d report it.)
The process should have been:
1. Get e-mail to remind me to read meter (British Gas must have my e-mail on file somewhere to do this).
2. Read meter.
3. Clink on link in e-mail to submit reading.
4. Since the system knows the e-mail address it can prefill this and then ask for my login code from my Barclays dongle (or mobile phone, or whatever).
Bingo. Secure log in, with no effort, since my card and dongle are next to the computer.
Incidentally, and apropos of nothing, I was curious why the system was a bit crap, so I googled British Gas CRM to see if other customers were complaining, and I found this:
A good CRM system can provide automated, reliable and accurate billing and cope with high levels of customer switching and multiple service offerings. This is what British Gas set out to do with Project Jupiter in 2001, when it commissioned Accenture to install a new £317 million SAP billing system. Unfortunately, the well-documented problems with Jupiter resulted in a spike in customer complaints, loss of market share and a £182 million legal battle between British Gas and Accenture that looks set to rumble on for several years.[From British Gas sorts out billing issues and prepares for smart metering – Interviews – Features : Utility Week]
Anyway, back to the topic. We must, as a matter of urgency, start moving to an identity and authentication infrastructure that puts a stop to this time- and money-wasting replication at every service provider.
I think there’s a lot to be said for a mobile-based solution. My kids already use their mobile phones to log in to World of Warcraft and this seems to work perfectly well for that purpose. And Google have adopted a similar mobile one-time password (OTP) for customers who want additional security for Google Apps.
But before we all get too excited, note that the OTP generated by or sent to the mobile phone is simply entered by the user into the user’s PC browser in order to log into Google Apps. This authentication method has long been beaten by bank trojans like Zeus.[From Google two factor authentication a first step – but a lot more need to be taken]
To take a real step forward, we need a secure application and that means it has to be in tamper-resistant hardware which, in the case of the phone, means the SIM. When I was in South Africa recently, I discovered that the Payment Association of South Africa has added a new transaction type to the networks there. It is called “ATM”, which standards for “authentication transaction message” but is generally known as “SIM and PIN”. It is, as that name suggests, meant for online PIN debit transactions where there is no card present but there is a mobile phone. Quite forward looking if you ask me and, once again, it opens up discussion about another area where developing-world innovation might provide new products and services for the developed world. One of the discussions I got into down there was about the relationship between SIMs and digital identities.
Two SIM cards mean two identities. In the world of transformational banking, this does mean two wallets. It is therefor eextremely likely that consumers would own more than one wallet in a world of multi-SIM. This poses interesting questions:
* How does this impact on regulatory requirements? In most of the regulatory dispensations, subscribers are subject to limits (value in a wallet, daily transactions etc.). Should a system cater for this and recognise that a subscriber actually have two or more wallets?[From Mobile Banking: Implications of multi-SIM users for mobile money services]
* How should one deploy the user interface in a multi-SIM phone? How would a transaction look like (or work) where a payment is made from one SIM card to another in the same phone?
* Thinking a bit into the future, where the secure element for an NFC transaction is suppose to reside on the SIM card, how would this work if the phone has two SIM cards?
Really useful input into practical MNO strategies for our markets. If the MNOs were to add a generalised PKI application to the SIM and let anyone who wants to use it, then you’d soon find a small group of identity providers who would come to provide the majority of the identity and authentication services (it’s the nature of these things). This is hardly a new, or original thought.
# Leverage the devices for digital identity; a Windows Mobile device that felt like an iPhone would be one kick-arse CardSpace identity selector.[From iPhone + iTunes + AppStore + Services: Microsoft, please note. « notgartner]
Quite. The mobile phone can not only store a person’s digtial identities (across multiple SIMs) but it can allow people to select which identities may be appropriate in different circumstances. It becomes a kind of remote control for identity.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]