Personally, as I’ve said before, I like NSTIC and have been encouraging our clients to develop strategies toward NSTIC. Since virtually none of them spend their entire time thinking about identity infrastructure, I’m trying to find ways to simplify and condense some of the key issues. If we step back to look at the intended prosaic impact, it’s about better security and fewer passwords, which translates in the short term into a combination of two-factor authentication (2FA) and federation.
The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.
For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security.[From NFCNews | Potential technologies that consumers may use for online ID]
In that specific exposition, there follows an interesting, but confused, list of options. I’d like to suggest a more straightforward taxonomy, based on a digital identity infrastructure (which doesn’t exist, of course). The article, to my mind, confuses the distinct bindings between the virtual identities that exist in the Net and the real identities that are connected to. This is why it is useful to introduce the notion of digital identity in the middle (which would also solve the “real names” problem that is causing so much grief at the moment, but that’s another story). So then we get the two categories of technology that might be used to solve the key problems and work within the NSTIC framework to make a real difference to the world of online identity. These are:
- Linking virtual identities to digital identities. The article suggests that digital certificates and PKI might be a good way to do this and I agree. Think of a digital identity as a private-public key pair: so long as there is some tamper-resistant store (which has generally meant a smart card) for the private key then the digital identity is portable and convenient. The natural place for this tamper-resistant chip is, of course, the mobile phone (or, at least, the device-formerly-known-as the mobile phone) because it provides both local (via NFC) and remote interfaces to the chip.
- Linking digital identities to real-world entities. Right now this is largely achieved through passwords or PINs, but the article suggests that passwords will be supplanted by biometrics. I think this is plausible, although it is not an immediate requirement for mass market use. People will want to use NSTIC to log into The Telegraph and the DVLC, not to reset nuclear missile launch codes.
By implementing the right technology for each of these links, we (i.e., the industry) can make NSTIC simple and practical. If we can do this, then I think that the use of digital identity will permeate through almost all of our day-to-day interactions. I think some people view NSTIC and being a kind of non-governmental ID “card” and therefore tend to think of it for a particular set of applications but these are only a start. To get an idea of what might be achieved, have a look at how a technologically-advanced ID card is used.
The new Estonian e-ID card features a PKI application embedded in the contact chip and allowing online authentication and digital signature by qualified electronic certificates. This technology enables citizens to execute a large variety of e-government and e-commerce services, and makes it possible to verify and validate the documents in electronic transfer. Additionally, the e-ID card offers the owner access to the local public transport network.
Furthermore, the BRP card contains a contactless chip with special functionalities when travelling within the Schengen area. The application fulfils the most recent ICAO norms for biometric identity documents, such as a fingerprint check.[From Trüb AG]
This card-based implementation suggests to me a way of funding the improved implementation of NSTIC as well. If mobile operators would provide this functionality on the UICC and make it available to banks and other to use, the consumers could use that solution—generating data and messaging traffic for the operators—or for consumers who didn’t want to use the smartphone app, there would be a card to buy.
It seemed to me at the Chicago event that some of the thinking about the technology platform was underdeveloped. We have some fantastic tools available to us now that we can use to create a digital identity infrastructure that would have been hard to imagine a few years ago. Starting from where we are, the realistic platform is the cloud plus the mobile phone which would turn the mobile into an identity selector and
One factor that will have to be taken into account, though, if mobile operators are going to provide this platform is that of regulation. I can see that one of the real attractions of this business for mobile operators is that as both an identity provider and as the authentication platform, they can assemble an incredible amount of personal data.
But as of now, the NSTIC Strategy document and the Implementation Plan lack crucial detail about regulating IdPs. By definition, Identity Providers will be able to link all of an individual’s personal transactions. Without regulation, larger IDPs will be able to market, share or otherwise derive value from vast storehouses of transactional data, much like today’s credit reporting agencies.[From NSTIC at a Crossroads « Because I am Here]
This is a very good point. We do have to find some kind of balance (which may be through a different basic structure, such as is provided by something like MyDex) to give the stakeholders incentive to create an excellent infrastructure. We also have to find a fair basis for the mobile operators and others to create a working set of relationships.
Absent new laws to make this kind of grand identity federation happen, we will still need new contracts—brand new contracts of an unusual form—struck between all the parties. It’s complicated by the fact that banks & telcos don’t naturally see themselves as “identity providers”, not in the open anyway[From Digital Identity: The sorry state of id and authentication]
One way to do this might be to see the mobile operator provide two distinct functions via separate business entities: the identity platform that is made available to all (in the great tradition of EU regulation in an “open, transparent and non-discriminatory” manner) and the identity and attribute provider business that uses that platform just as many others (e.g., banks) will. The practical use cases are appealing: you go to log on to your bank, you get a message on your phone, you punch in a PIN or something and you’re logged in no problem. Now you go to log on to the DVLA, you get a message on your phone, you punch in the same PIN and you’re logged in no problem. Consumers will therefore have access to a highly functional infrastructure without having to understand keys, certificates or anything else.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers