I see your 3DS and raise you 4DS

Facebook has filed for a trademark on the usage of “Facebook” on business cards and, more curiously, “non-magnetically encoded” ID cards among other things.

[From Are Facebook ID Cards In Our Future? | TechCrunch]

I’m not particularly interested in the trademark issue, but I pointed this story out to a couple of people in a discussion because I think it illustrates that there are some companies, Facebook among them, who are developing strong long-term strategies around digital identity. Another is PayPal, who made the “Commerce Identity” a centrepiece of their annual innovation event in San Francisco this year.

EBay today launched PayPal Access, a new identity authentication and log-in technology [that] enables consumers to not only quickly log-in to any website–as they could with Facebook, Twitter or other authentication services–but it makes paying through websites quicker and faster.

[From EBay’s PayPal Access Brings Identity—And Payments—Across The Web – Forbes]

Now, if you look under the hood of PayPal Access, you will find that it uses sector-wide standards and not banking or payment standards.

PayPal Access provides a way for users to log into your web site using interfaces based on the OpenID 2.0 protoco

[From Standard OpenID Integration for PayPal Access | X.commerce]

As I’ve said in the past, numerous times, OpenID seems to me to be a reasonable place to begin developing digital identity services and experimenting with digital identity business models. I’ve gone on and on about this over the years.

What with OpenID appearing to gain momentum as a simple, distributed, good-enough single sign-on for the Internet..

[From Digital Identity: Opening up]

I have discussed the idea of using OpenID with a number of clients, not only in the financial services sector, but I think they thought it was too “techie”, or maybe the marketing and business guys just genuinely didn’t see “identity” as a bank business. But I have to say that in all honesty I was disappointed, because I thought that a couple of years ago it was a good place to begin experimenting and learning. I’m not arguing the OpenID is perfect.

current OpenID implementation practice is to use non-correlatable identifiers as the URLs that I envisioned for LID, in order to get CardSpace-like privacy features. But then, the first piece of information that is typically pushed to sites, Sxip-style, is the user’s e-mail address — a perfectly correlatable identifier if there ever was one. The identity push features in OpenID 2, from their roots in Sxip, are unused beyond a few like name and e-mail address; instead, any meaningful data exchange is performed using OAuth, an (incompatible) branch-off

[From Johannes Ernst’s Blog » The Death Of User-Centric Identity — for now]

This is absolutely valid and correct criticism. But… first of all, I don’t have a single OpenID, I have three. There’s id.dgwbirch.com which I use for professional stuff, id.davebirch.org which I use for personal stuff and then a third that I use for 95% of my online interaction, a pseudonym unconnected to the other two. From my point of view, this works fine. It’s frustrating when I try to log in somewhere and they don’t implement OpenID. Perfectly correlatable? No.

But let’s stop trying to iterate to a theoretically perfect solution. It’s better to start somewhere, otherwise we’ll find ourselves sitting around in dreary committees discussing the requirements for identity infrastructure endlessly while that actual identity infrastructure is being defined and built south of San Francisco. It’s there, and not in the boardrooms of banks, that identity is seen as a strategic component of future products and services.

So I agree with Eric that Google+ is in part an identity service. But “primarily an identity service?” That’s notable. Particularly in the context of what he said after that. “if they’re going to build future products that leverage that information.”

[From A VC: Google+ Is An Identity Service]

Meanwhile, my bank is doing… well, nothing so far as I can tell. Which is odd, because my bank has already put me though stringent know-your-customer procedures. And banks remain trusted. And they’ve spent money giving me a high-security tamper-resistant industry-standard security device, namely a chip and PIN card. There really ought to be some way to reuse this excellent functionality.

Why can’t the company I work for accept identity assertions or information based on an identity service that has already vetted my existence to an adequate assurance level?

[From Burton Group Identity Blog: BYOI – bring your own identity]

If I could use my home banking dongle as part of a 2FA login to, well, let’s call it “Bank Access”, then surely I ought to be able use that digital identity in the framework of the Cabinet Office’s Identity Assurance infrastructure to log in to DVLA, DWP, British Gas and the World of Warcraft if I want to. I oughtn’t to be that hard for the banks to get together (perhaps under the auspices of the The UK Payments Administration) to define the minimum dataset for OpenID sharing (maybe name, address, email and some kind of unique customer id or whatever) and a pilot into place so that people can log into any UK bank—on PC or mobile—using any UK bank identity.

I wish Google had sold this to all the banks I cared about rather than just implementing it on its own properties.

[From Piaw’s Blog: Review: Google’s Two Factor Authentication]

I made a few remarks in this direction in my talk at Business and Operational Excellence in Payments in London recently. Ms. Ineke Bussemaker, the Executive VP and Head of Payments Services and Savings at Rabobank kindly referred to my comments and said that I was pointing towards a rethink of 3D-Secure (3DS). This isn’t true: I don’t think it makes sense to get rid of 3DS given the infrastructure is in place (and, despite the moaning, working). But I do think it makes sense to think of a framework around 3DS, something that I called 4D-Secure a couple of years ago.

A direction that might be explored is what you might call “4D-Secure”, or 4DS: instead of using bank authentication to log in to something, use bank authentication to log in to an OpenID provider and then use OpenID to log in to things. This has the advantage that service providers site could implement open source standard OpenID solutions rather than interface with 3D Secure.

[From Digital Identity: 4D Secure]

In 3DS the three domains are the customer, the merchant and the bank. If 3DS is used to authenticate into a wider framework (such as OpenID) then this opens up the fourth domain, which is everyone else who is happy to rely on (and potentially pay for) bank strong identification and authentication services. I think it might be time to dust this off and offer it to financial institutions who, seeing what Facebook, Google and PayPal are doing—are beginning to think that some sort of digital identity and strong authentication strategy might be appropriate to their businesses. After all, I’m sure they don’t want to end up having to pay Facebook every time someone logs in to their credit card provider using Facebook Connect, and having no choice but to provide that service because customers simply won’t bother to log into anything that doesn’t offer Facebook Connect (or PayPal Access, for that matter).

As an aside, while thinking about Facebook Connect, there’s another factor to consider: information. My wife is looking for a new mobile phone, and she likes Sony Ericsson. So I went to their web site this morning to find out about the range of phones. When I went to log in, naturally I saw

So Facebook now know that I’m visiting Sony Ericsson, from which they might reasonable deduce I’m in the market for a new phone. In the world of advertising I imagine this is be valuable information. Not only could my bank deliver validated attributes to Sony Ericsson (e.g., this person is over 18 and resident in the United Kingdom and has a bank account) but I might be tempted to trust them to curate the data responsibly, so that the benefits are at least shared with me instead of being captured by more far-sighted organisations with an identity strategy and effective identity tactics.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers