Enhancing data security and privacy – this should be an MNO business

[Dave Birch] I’ve been living the hell that is our identity infrastructure in 2013 because my eldest son just started university, and this means dealing with student finance. He is applying for student loans, so he had to create an account with the Student Loan Company, which means that I had to create a parent account which also meant that I had to create a parent account for my wife. I created these accounts and then filled out the financial information that they asked for (last year’s P11Ds and P60s which they could have got from HMRC), then they needed something else. So…

1. Go to student finance web site at DirectGov.
2. It asks me for an e-mail address and password, neither of which I can remember.
3. I click on “forgotten password” (which is where they should probably take you in the first place) and they e-mail me a password reset.
4. I reset the password, but the system tells “your new password can’t be the same as the old password”! Doh! So that’s what my password was!
5. I choose another password.
6. Hurrah! I can log in.
7. It asks me for the 2nd, 4th and 6th letters of the street I lived on when I was ten years old.
8. I wasn’t sure what I’d answered for this question, but luckily I got it right.

This is what should have happened…

1. Go to student finance web site at DirectGov.
2. Choose my bank as my identity provider.
3. Open my bank app on my mobile phone and enter my PIN (or put my finger on the home button fingerprint scanner).
4. Continue with student finance web, now correctly recognised.

Meanwhile, my son filled out the online stuff (remember, all of this is completely and utterly pointless since my wife and I are above the income threshold so we cannot obtain any financial support) and then discovered that he had to provide proof of identity. I assumed, this being 2013, that he would be able to log in to student finance using his bank card (since his bank has already KYC, AML and ATF’d him) or select one of the UK’s approved identity providers — say the Post Office, for example — and log in using one of them. Of course not. Much as our Victorian forefathers might have done, he was required to obtain a declaration of his identity from an upstanding member of the community (thanks Gloria!) and go down to a Post Office and send it, along with his original birth certificate, off to Doncaster. I imagine he’ll never see it again, but I paid for secure overnight delivery anyway. That was six quid. Six quid that I might, in an advanced economy, have spent on registering for an ID linked to, for example, his smartphone SIM.

It may be two years, it may be ten, but soon enough the identity credential will look very much like Facebook, YouTube, or Amazon: It will be an app or functionality embedded within an app on your smart mobile device.

[From DigitalIDNews | On the path to a ‘virtual’ identity credential]

This is the sort of thing that I will be pestering the delegates about, I imagine, at Digital Disruption 2013 tomorrow and Thursay, because I really think that the mobile operators should be developing a more strategic approach to identity and building an understanding of where their corporate strategies will take them in this area. I’m chairing the track on Enhancing Data Security and Privacy and I’m really looking forward to hearing the latest thinking in this critical area of business.

P.S. We received some more forms for him to sign a couple of days ago. Physical forms. In the post. That we have to send to him so that he can manually sign them and then post them back to the SLC. I swear that twenty years ago I never imagined that we would still be doing this in 2013.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers