Written by Now, one of the obvious reasons why mobile operators are well-placed to provide infrastructure in the identity space is that they have the SIM. I’ve written countless times before, going back many years, that the SIM might be a good place to store digital identities. In fact, way back in 2006…
I said a long time ago that “SimID” might be more profitable than Simpay!
[From Digital Identity: Norwegians would]
I still have a presentation on my laptop that was a proposal for an identity play (then known as the “Genie Passport”) for Cellnet two recessions ago, but I can hardly claim to be the only person with that idea. It was common currency more than a decade ago in the days of Wireless PKI and Raddichio.
If the operators provide SIM-based PKI and then rent it out on reasonable terms, banks will be only the first mass market to shift identity and authentication out of the cloud and on to the handsets.
[From Digital Identity: Cloudy with a chance of PKI]
The point was made repeatedly, by multiple speakers, that the operators should work together to create an infrastructure. I agree with this, but I think it is a reasonable point to make that this co-operation needs a shared narrative to animate it. In other words, what’s the story? It’s one thing to say that the SIM should store identity, but quite another to say what exactly this “identity” is, how it ail work in prosaic cases and what infrastructure needs to be developed to make all of it possible. But this post isn’t about that narrative.
Last month the GSMA invited me down to Nice for their Mobile Identity meeting. The meeting was held under the Chatham House rule so I’m not going to say who said what, but I will say that it was interesting to see a group of mobile operators from around the world taking the business of identity seriously and looking at launching commercial services. A concrete proposition for a standard “Operator-ID” was put forward by one of the MNOs and I have to say that I thought it was pretty good. The idea is simply to provide a generalised SSO that all service providers can use: your login menu at a web site would be “Facebook/Twitter/Your Mobile Operator”. There were five reasons to provide this service put forward by the protagonists:
- Reach. The operators have a lot of customers, and using OpenIDConnect the operators can deliver this large customer base to service providers in a standardised way. They can then combine this with SIM-based PKI to provide strongly authenticated identities (set aside what the operators mean by “identity” in this instance). Moving from unverified to verified users is a good idea, even if the operator doesn’t know who the “real” identity is, if you see what I mean.
- User insight. What I would call reputation, this is a crucial dataset for monetizing the proposition. Once again, the operator does not need to know who you really are in order to know that you go to Waterloo station every day, or visit Subway every week or travel to France every month.
- Business model. The idea of some kind of freemium service, free for personal use but with paid-for value-added services to business, seems plausible to me. The idea that operators will be able to charge per-login to make a profit is possible, but I wouldn’t bet on it. But suppose banks, for example, said that they would accept OpenIDConnect logins but only from 2FA identity providers that meant certain minimums (what we call “qualified digital signatures” in Europe) then they could save money messing about with dongles and switch quickly.
- Seamless bundles. The operators already provide their own services (e.g., Joyn) that could switch immediately to eat their own dog food, as our transatlantic cousins would have it. It’s a pain in the arse right now for me to log in to O2, Orange and 3 with different usernames and different passwords. If Orange gave me an OpenIDConnect service through my iPad, I’d use it to log on to O2, Virgin and 3 as well and not have to keep going through the “forgot your password?” loop.
- Processes. Many of the practicalities of mass-market identity mean that the scale processes of operators deliver a competitive advantage. The proposal for a cross-operator discovery layer, for example, solves the problem of having to know which operator a particular number corresponds to.
I liked this presentation a lot, partly because I knew that it would support some of the conclusions of my subsequent presentation but mainly because it covered some details that I hadn’t really been thinking about: the integration with operators processes and back-end systems. The key point of the proposal — using OpenIDConnect — was music to my ears. Here’s what I wrote a couple of years ago:
Nevertheless technology is an important part of the equation, and we need to pay attention to the emerging technologies, because it will take some real effort by a coordinated industry grouping in order to get worthwhile (ie, involving tamper-resistant hardware) authentication deployed and this will need to be linked to a framework (such as the new OpenID Connect) that can easily be adopted by web sites, mobile services and across other channels.
[From Digital Identity: Identity is the new money]
I don’t understand why MNOs don’t provide this service already: I’ve lost count of the presentations I’ve made to different groups in different operators on the topic. It seems as if each of the operators that I deal with as a customer has spent money on their own SSO and this doesn’t seem particularly cost-effective to me. If they don’t get together on this, then eventually some form of handset trusted execution environment (TEE) will become the home of the mobile PKI and they will be bypassed. Why not try and make something of the SIM or the SIM-based secure element (SE) while they still can?
The best way to to this is to engage with the rest of the digital identity community that tries to solves these problems globally (see earlier post), and add the MNO assets, the mobile device and the SIM to it, and not to treat it as a stand-alone service.
[From What about mobile ID | It’s all about ID]
So, we all agree, it’s a good idea. Why now? Well, one driver that was discussed in Nice was Europe. As you may know, the EU has put out a proposed Regulation COM(212) 238 (final 4th June 2012) on electronic identification and trust services which will call for, amongst other things, interoperability between certain kinds of electronic identity. They are thinking primarily about access to public services, banking and the like. Right now there are 13m EU citizens working outside their home country and the cross-border use of electronic identities would make life much easier. The idea is that member states will “notify” European Commission of identity services for access to public services and then all member states will have to allow access to public services by “notified” providers. (Note that as part of this, the notified providers must provide free authentication services).
As far as I understand it, suitable identities will be ones that can form “qualified” digital signatures. There are around 100 CAs in the EU offering such qualified digital signatures but they tend to be rooted in national systems so even where there is cross-border interoperability at the technical level, there is none at the application layer. This is an old and well-known problem, and there has been some progress exploring ways to make it work, yet the current situation shows little sign of change. However, given the EU’s desire to see change, it may be that the MNOs have a particular window to provide infrastructure for notified providers and make it easy for those providers to offer interoperability through that infrastructure at little cost to themselves. And the MNOs, like the EU, want to see a Europe-wide solution so there is an alignment of interests there.
There was one particularly interesting discussion during the GSMA’s morning session covering the “problem” of multiple SIMs and multiple devices. For example: in my house I have a phone with an O2 SIM, an iPad with an Orange SIM and a dongle with a 3 SIM. There are multiple SIM phones. So how would mobile ID work in this environment? In my mental model this isn’t a problem because I assume that the digital identities in each SIM will be bound to the same real identity, because I separate the binding of the digital identities to the “real” identities and the binding of the digital identities to the virtual identities used on line. And I should be able to link any or all of these virtual identities to the services I want to access online.
The bottom line is that, to my mind, the technologies to do something about identity in the mobile space not only exist but are well understood. The idea of using PKI with SIM-based key pairs has been around for many years and the Mobile Signature Service Platform (MSSP) is already standardised (ETSI TS 102 203 and 102 204) and companies such as Valimo provide off-the-shelf products. The Open Mobile API (a mandatory part of the GSMA NFC handset requirements) provides an route forward for storing and manipulating digital identities that can be used in physical as well as virtual interactions. The services provided using these standards are probably not rich enough and I suspect that they will need another layer on top so that they can fit inside the industry frameworks that are being developed right now (NSTIC, IDA and such like).
The best way to to this is to engage with the rest of the digital identity community that tries to solves these problems globally, and add the MNO assets, the mobile device and the SIM to it, and not to treat it as a stand-alone service.
[From What about mobile ID | It’s all about ID]
Assaf Bielski is surely right about this. Perhaps, as I’ve suggested in the context of Project Oscar and ISIS, a place to focus might be digital identity services for wallets. Everyone loves wallets and everyone and his brother are developing one at the moment. Why not provide an identity API for wallet developers to use so that customers can have a shared and stable identity and authentication process across handsets and operators? The GSMA could co-ordinate industry requirements here and develop a narrative vision that might make it easier for the MNOs to develop an API in a reasonable (i.e., months rather than years) time. This would be a genuine win-win: a value-added service from the operators that keeps them in the loop and a significant cost-saving to banks, retailers and others.
A final observation: I think I did detect a sense of urgency that I hadn’t seen before. The operators (correctly) think that if they don’t do something about identity quickly, then the FAGs (Facebook–Apple–Google and other scary OTT providers) will shift to 2FA (using TEE or whatever) and bypass the operators completely.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The eID part of the regulation only covers IDs issued by or on behalf of states (art 6). The definition of ‘public’ service is probably one provide BY public servants, not FOR he public.
[Dave Birch] In tNSTIC/IDA model, though, the IDs issued on behalf of states may come from private sector providers?