[Dave Birch] I’m giving a talk on identity services as a potential new business for mobile operators, and I’m trying to make the point that there are routine, everyday, prosaic applications for this kind of thing: it’s not all about opening bank accounts and reporting deaths. Every single day I take part on transactions that are made complicated, expensive and unsatisfying because of the lack of an identity infrastructure. How many times in an average week do you press the “forgot your password” button? I do it all the time. Here’s the standard pattern:

1. Get e-mail from British Gas asking for a meter reading (we still have dumb meters — more on this in a future post).

2. Read meter.

3. Click on link in e-mail to submit reading.

4. It asks for e-mail address and password, so enter e-mail address and then click on “forgot your password”.

5. It says I’m not registered, so then I have to go and register. I use the same password that I use for everything else.

6. But my password has to be between 8 and 16 characters (they take security seriously) so then I have to think of another one (which I am certain to forget again next time).

6. Then I can log in and give the reading.

7. But I get “We’re sorry but access to your online account is temporarily unavailable. Please try again in a few minutes.”

8. Next day get an e-mail from British Gas apologising for problems with online system. (This isn’t really anything to do with identity, but it was nice of them, so I thought I’d report it.)

The process should have been:

1. Get e-mail to remind me to read meter (British Gas must have my e-mail on file somewhere to do this).

2. Read meter.

3. Clink on link in e-mail to submit reading.

4. Since the system knows the e-mail address it can prefill this and then ask for my login code from my Barclays dongle (or mobile phone, or whatever).

Bingo. Secure log in, with no effort, since my card and dongle are next to the computer.

Incidentally, and apropos of nothing, I was curious why the system was a bit crap, so I googled British Gas CRM to see if other customers were complaining, and I found this:

A good CRM system can provide automated, reliable and accurate billing and cope with high levels of customer switching and multiple service offerings. This is what British Gas set out to do with Project Jupiter in 2001, when it commissioned Accenture to install a new £317 million SAP billing system. Unfortunately, the well-documented problems with Jupiter resulted in a spike in customer complaints, loss of market share and a £182 million legal battle between British Gas and Accenture that looks set to rumble on for several years.

[From British Gas sorts out billing issues and prepares for smart metering – Interviews – Features : Utility Week]

Anyway, back to the topic. We must, as a matter of urgency, start moving to an identity and authentication infrastructure that puts a stop to this time- and money-wasting replication at every service provider.

I think there’s a lot to be said for a mobile-based solution. My kids already use their mobile phones to log in to World of Warcraft and this seems to work perfectly well for that purpose. And Google have adopted a similar mobile one-time password (OTP) for customers who want additional security for Google Apps.

But before we all get too excited, note that the OTP generated by or sent to the mobile phone is simply entered by the user into the user’s PC browser in order to log into Google Apps. This authentication method has long been beaten by bank trojans like Zeus.

[From Google two factor authentication a first step – but a lot more need to be taken]

To take a real step forward, we need a secure application and that means it has to be in tamper-resistant hardware which, in the case of the phone, means the SIM. When I was in South Africa recently, I discovered that the Payment Association of South Africa has added a new transaction type to the networks there. It is called “ATM”, which standards for “authentication transaction message” but is generally known as “SIM and PIN”. It is, as that name suggests, meant for online PIN debit transactions where there is no card present but there is a mobile phone. Quite forward looking if you ask me and, once again, it opens up discussion about another area where developing-world innovation might provide new products and services for the developed world. One of the discussions I got into down there was about the relationship between SIMs and digital identities.

Two SIM cards mean two identities. In the world of transformational banking, this does mean two wallets. It is therefor eextremely likely that consumers would own more than one wallet in a world of multi-SIM. This poses interesting questions:

* How does this impact on regulatory requirements? In most of the regulatory dispensations, subscribers are subject to limits (value in a wallet, daily transactions etc.). Should a system cater for this and recognise that a subscriber actually have two or more wallets?
* How should one deploy the user interface in a multi-SIM phone? How would a transaction look like (or work) where a payment is made from one SIM card to another in the same phone?
* Thinking a bit into the future, where the secure element for an NFC transaction is suppose to reside on the SIM card, how would this work if the phone has two SIM cards?

[From Mobile Banking: Implications of multi-SIM users for mobile money services]

Really useful input into practical MNO strategies for our markets. If the MNOs were to add a generalised PKI application to the SIM and let anyone who wants to use it, then you’d soon find a small group of identity providers who would come to provide the majority of the identity and authentication services (it’s the nature of these things). This is hardly a new, or original thought.

# Leverage the devices for digital identity; a Windows Mobile device that felt like an iPhone would be one kick-arse CardSpace identity selector.

[From iPhone + iTunes + AppStore + Services: Microsoft, please note. « notgartner]

Quite. The mobile phone can not only store a person’s digtial identities (across multiple SIMs) but it can allow people to select which identities may be appropriate in different circumstances. It becomes a kind of remote control for identity.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

1 comment

  1. A really interesting post.
    Perhaps a main concern with any ‘roll-out’ of this magnitude, should be the overall immaturity of this industry. It’s a rapidly changing sector, and one that’s not yet been fully ‘bench tested’. (One where standards are only just being developed.) Sure, it’s arguably a big mistake to stand in that way of such advances. In fact do so at your peril – it may feel like being hit by a steamroller – and if you’re not part of the steamroller… then you’re part of the road! But maybe there’s a case for moving forward in a measured way, and if you’re going into a metaphorical coal mine then it’s always best to take a canary. Always be wary – carry a canary! Or in this particular context perhaps instead visit: http://www.rfidprotect.co.uk

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: