The real battle between MCX and Apple, between banks and Google, between retailers and telcos is not about your handset, your SIM (soft or otherwise) or your payments. It’s about your identity.
As has been remarked more than once, and in many contexts, if your wallet gets stolen then it’s your driving licence, social security card and Portugese fishing licence that are the problem, not your money. Remember your Shakespeare! “He who steals my purse steals trash” (Othello: Act 3, Scene 3). It’s your identity that is the valuable thing in your wallet, the thing you should leave locked up in the hotel room safe instead of being forced carry it around with you in case you want to buy something – as I am required to do in the US, where you often still have to sign your name when you use a payment card in a shop.
If I’m right, then my identity should only be entrusted to organisations who understand security and privacy and, most importantly, actually know who I am.
Britain’s high street banks believe their future role will be as repositories of more than just money: they want to be the safe place where customers store their digital identities.[From Banks want to keep your digital ID in their vaults – FT.com]
It’s natural to think of banks in this role and, despite the fact that I can’t use my bank identity to log in to anything other than my bank at the moment, reasonable to imagine that their plans for forming a trusted identity layer to underpin the new economy are well advanced.
Banks are well positioned as is explained in a recent white paper (link) of the European Banking Association (EBA).[From Digital Identity: how banks can position themselves in their customer’s online lives | Innopay]
It is also natural for people (e.g., journalists) to see the identity issue in terms of payments, because payments are where we need most urgently need a solution. The myriad data breaches mean that efforts are focused on online purchases and the use of the decades-old PAN-centric card infrastructure in an environment it was never designed for.
Some suggest that digital identity verification by banks could ultimately end the need to type in a credit-card number on an ecommerce website[From Banks want to keep your digital ID in their vaults – FT.com]
The FT are right. Identity could be a huge play for banks. Mind you, some others (uncharitable persons, of which I am not one) also suggest that banks will pratt about and muck this all up and hand digital identity verification to Apple, Facebook, Google, Amazon and Microsoft on a plate. Many years ago, I thought this wouldn’t happen because I thought that the banks would come to some arrangement with the mobile operators since (at the time) the mobile operators were the only providers of tamper-resistant hardware with a communications link: the SIM.
The Norwegian implementation is follows my favourite SimID model: the service providers use virtual IDs (public key certificates), the mobile operator provides the digital identity (the key pair) and the bank binds the digital identity to the real person.[From Norwegians would – Tomorrow’s Transactions]
I rather liked the model that this suggested. Go to log on somewhere and have a message pop up on my phone, enter a local passcode on the phone, find myself logged in on the web. I was a strong advocate of a pseudonymous option around this, so that service providers would know that you have been authenticated, but not who you were (the bank could provide a unique and cryptographically-unlikable token to each service provider).
Now that my bank has an app on my mobile phone, you might imagine that they could perform this role (for a small fee) not only for payments but for more general cases. For example, suppose I need to log on to a gambling web site and prove that I am over 18? That’s exactly where this sort of bank recognition could work. I give the gambling web site my mobile phone number, they send it to a [currently nonexistent] bank directory service and moments later my mobile banking app pops up on my phone and asks me to log in.
In recent years, though, we don’t seem to have seen much progress in this field and now that Apple (and, inevitably, Google) have decided to bypass the operator SIM and use their own tamper-resistant hardware in the handset, surely the banks’ potential as key, trusted identity players is under threat. Maybe it’s time for them to take the whole ID thing seriously and start coming up with new ideas. More on this tomorrow.