But four megatrends are ripping that reality apart – cloud, social, mobile and big data. The world looks very different today than it did even five years ago.[From 4 Megatrends That Will Transform Online Identity – Forbes]
I had these trends at the back of my mind yesterday when I had the honour to chair the GSMA’s session on “Mobile Identity: Opportunities and Challenges for Service Providers” at the Mobile World Congress in Barcelona. I had the great good fortune to have a first-class set of speakers, each putting forward a different perspective:
- Harm Arendshorst who is Head of ID Services, EMEA from Verizon Business Services.
- Sabine Mcintosh, Director, Managed Identity Business in EMEA for Global Transaction Services.
- Doug Daberius from NokiaSiemensNetworks.
- Patrick Fischer, who I mentioned in a previous post when he was at Deutsche Telekom.
- Daniel Gurrola from Orange.
The discussion that followed, driven by questions tweeted in to me live during the session, was pretty wide-ranging. A couple of points stood out and I wanted to flag them up before I move on to my main point.
First, and I will come back to this on the blog, was the issue of security. Once again, the first set of questions that I saw pop up on my iPad were about mobile devices being lost or stolen. The panel agreed with me that actually this should be a strength for the mobile proposition, not a weakness, but the proposition needs to be refined and communicated with this in mind. Secondly, there was a fascinating discussion about M2M security (or, more properly, lack thereof) which I think has important implications for the development of the sector. And finally, Sabine made some points about the distribution of liabilities which while they might be familiar to people who spend their lives in the identity space are new to mobile stakeholders and deserve amplification and investigation.
The main point that I was left thinking about, though, came from Daniel Gurrola. This is a telecoms-centric event, so Daniel’s warning to his fellow operators that they risked giving the identity opportunity away to the “over-the-top” (OTT) players went to the heart of their strategic concerns in this area. The risk, essentially, is that OTTs such as Facebook will become the consumer’s preferred means of identifying and authenticating themselves for mobile services and bypass the operators.
There was a presentation by Denis Joannides from “Innovation District” on the use of these social networking identities at Identity.Next in The Hague. They showed a slide from Gartner which predicted that within a decade we would be using our social network identities for corporate, consumer and government log in. Can this really be true? The audience in the The Hague seemed sceptical but the strategic implications ought to form part of the discussion in any organisation planning for the medium term. In its December 2012 research briefing “Where Social Networks, Payments and Banking Intersect“, the Federal Reserve Bank of Kansas City’s Payment System Research Department rightly caution that “just as social networks create opportunities for commerce, they may also unintentionally introduce risks such as breaches of privacy, fraud and even money laundering”.
Denis was talking about the “Gini” platform, which takes the mechanisms of social networking identities (OpenIDConnect, OAuth and multiple identities) and wraps them with some other stuff to turn them into “trusted” (put to one side what that means for a moment) identities that can be useful to financial services organisations. The system went live last September for the Aegon life insurance company in the Netherlands.
While the security guys in audience didn’t think much of PIN codes and mailing activation codes in the post and such like (and I’m not sure about these either), I understand exactly the point that Innovation District and Aegon were making: if you add some strength to the social networking identity, then it could well become a trusted identity in some way. But is this wise?
As people tie their social networking identities more closely with their in-real-life personas, the idea of cross-referencing social identity data to authenticate users on the Web and in the enterprise continues to gain steam. The Secretary of State in Washington offered a prime example of this drive earlier this month by unveiling a new voter registration Facebook app developed by Microsoft that cross-references Facebook identity data with state information to confirm potential voters are who they claim to be before entering them in the voter rolls.[From Security Snags Loom Over Social Login – Dark Reading]
I’m uncomfortable with this. Even if you completely trust Facebook and LinkedIn and Google and Twitter do you really want them to know everything you are logging in to? Surely we need to use the same underlying mechanisms as them but use them to deliver a different kind of identity. These mechanisms already exist — we don’t need mobile operators to invent them — but they haven’t become pervasive yet. Perhaps the role of the operators is to implement this stuff in a better (ie, both more convenient and more secure) way.
It is already four years ago that Google announced that all Googlers could use their account as OpenID to login to (an)other website(s). Supported by major providers such as FaceBook, Google, Microsoft and PayPal, OpenID was intended to become the worldwide standard to set the consumer free from his or her massive number of passwords. Now, in 2012, all consumers are still using many different passwords on different website(s).[From How is your OpenID doing? | Papierloos informatie over digitale identiteit elektronische handtekening en betrouwbare uitwisseling]
I’d really like to have a handful of identities — perhaps my personal (ie, Passport) identity, my work identity, my family identity and my play identity — that I could use to log in everywhere. If web sites want to track my play identity around different games, then fine. I don’t care, so long as they cannot connect that play identity to my personal identity except with my explicit permission. My mobile phone is the obvious mechanism for me to manage those identities, authentications and permissions. If the operators don’t enable this, other people will. There may be some challenges, but I’d prefer the mobile operators to focus on the opportunities and get moving: there are many stakeholders who could benefit from
Fighting technology with technology seems most promising—by replacing ID cards with phones.[From Fake ID cards: Identity crisis | The Economist]
One final point about mobile. Long ago, we said that the disruption in mobile payment would come because of the acquire side, because cashlessness is about universal terminals. Similarly, the disruption on the mobile identity side will come about because mobile phones can check identities, so let’s not forget about that side of the mobile operator business model.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
We are a rare and mocked set of folks but I also see how mobile significantly disrupts much of the current identity thinking. Today if you look at the BlackBerry Z10 you will see on-device social identity in the contacts app, where your online profile and that of your contacts is assembled automatically from many sources. There is a contact record created for yourself that can be used as your mobile public profile to on-device apps. This is all done when you setup various service specific accounts (identities) on the device. An important distinction is this is done on-device and driven by the user. Add to this an ability to securely tokenize device issued claims, provide APIs to apps and the mobile becomes an IDP integrated into the mobile app eco-system. There is significant on-device telemetry to offer all the opportunities for machine learning algorithms for recommendations, behavioural security, tastes and interests etc.
IMO the disruption is the fact that identity is not a platform like it was in the cold war era, its an integrated user concept in today’s mobile apps and services. The mobile phones are perfectly capable of performing the functions of identity platforms and avoids the honeypot of a single system that knows everything about everyone. When passwords are replaced by behavioural security we will stop talking about accounts, attributes, authZ tokens etc. I think trusted Agents (processes) will replace the concept of credential and token at some point because identity and policy will be algorithmic in nature.
Today we do this without servers, because we simply do not need them. This puts identities in control of the end user on devices they control. Seems to me this is the best path forward for personal security and privacy control, putting control back in the hands of the user in a way that can be understood.
Seems like a plug, my apologies, but there is nothing unique to any brand about what can be done by those that respect personal security and privacy. I just happen to know there exists at least one implementation…
Technical Director, BlackBerry Identity