Your SlideShare is downloading. ×
User & Mobile Centric Identity
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

User & Mobile Centric Identity

966
views

Published on

Presentation for the National eID & ePassport Conference, 22-23 October 2009, Lisbon

Presentation for the National eID & ePassport Conference, 22-23 October 2009, Lisbon


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
966
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • relying party is also called service provider
  • Generic Bootstrapping Architecture (GBA ) or Generic Authentication Architecture (GAA).
  • Transcript

    • 1. The trend towards user and mobile centric identity Maarten Wegdam Novay (formerly Telematica Instituut) National eID & ePassport Conference 22 October 2009
    • 2. Who am I?
      • Maarten Wegdam
        • Senior researcher @ Novay ( www.novay.nl /en )
        • Coordinator of identity, privacy & trust
        • MSc, PhD in Computer Science
      • Novay - formerly Telematica Instituut
        • independent ICT research institute in the Netherlands
        • multi-disciplinary, ~100 people
        • innovative projects for companies & government
    • 3. Identity (federation) – the basics
      • Identity = set of attributes
        • id number, name, address etc
      • Requires trust between all three parties!!!
      identity provider (IdP) user relying party uses service authenticates with e.g. an eID relies on IdP for identity
    • 4. User centric identity The idea
      • User brings his or her identity
      • Reasons: legal, ethical, user acceptance
      • For e-government, and certainly for private sector
      • Personalized privacy
        • privacy attitude: fundamentalist, concerned, unconcerned
        • depends on: trust , privacy sensitivity & goal
      IdPs trust privacy relying parties authentication Empower the user to control his/her identity!
    • 5. User centric identity – how?
      • Give users insight
        • what is shared, with who
      • Give users control
        • consent, per attribute
      • Decoupling Identity Provider and Relying Party
    • 6. User centricity is difficult: many trade-offs
      • How much control
      • Don’t bother the user too much
      • ‘ Easy’
      • Accommodate for different types of users
      • Decoupling IdP & Relying Party is difficult
      • Reduce needed trust in Identity Provider
      • No user client
      • Business model
      • Use standards!!! for interoperability
        • identity federation standards (SAML, InfoCard, OpenID)
    • 7. User centric identity Beyond consent
      • Consent is not enough …
      • Informed consent : users need to understand!
        • contrary to: discouraging, blaming or scaring them
        • question is: how much and how to minimize this
        • EDUCATING!!!
      • Users need to be re-assured what happens with their data
        • no proper solutions (yet)
    • 8. Mobile centric identity
      • Mobile as authentication means
      • Identity for mobile applications
      • To control your identity
      • User centric implies mobile centric:
      • Mobile is the most personal device user has
      • User always have mobile with them
      IdPs trust privacy relying parties authentication
    • 9. Mobile as authentication means
      • One authentication token!!!
        • “ something you have” (& “something you know”)
      • Leverage SIM card as secure/trusted hardware
        • Be aware: owned by operator
      • SMS one-time-password
      • OTP generator application (e.g. VeriSign iPhone)
      • OTP generator application on SIM card
      • GAA/GBA (3GPP)
      • Mobile (Wireless) PKI (on SIM card)
    • 10. Identity for mobile applications
      • User pain is bigger on mobiles
        • user input of username etc is much harder
      • Support lacking but improving
        • User interface challenge
        • Diversity challenge
        • Browsers lack extensibility features
        • No readers (yet …)
        • Synchronization with ‘fixed’ identity is issue
    • 11. Control your identity from your mobile
      • Mobile as a trusted and personal ‘control center’
      • Including your ‘fixed’ identity
      • Ongoing research …
      https://webmail.infocard.demo 698724
    • 12. Key take-aways
      • User centricity is ‘must have’ for identity infrastructures
        • personalize the privacy
        • requires users to understand this!
      • User centric implies mobile centric
        • Mobile for authentication is only step one
      More information: [email_address] blog: http://maarten.wegdam.name IdPs trust privacy relying parties authentication
    • 13. backup slides
    • 14. User centricity & standards Browser-based: OpenID & SAML
      • Client less, ‘redirect based’
      • Variation in amount of control!
    • 15. User centricity & standards Browser-based: OpenID & SAML
      • Client less, ‘redirect based’
      • Variation in amount of control!
      • OpenID – hyped for consumer internet, simple, low-security, primarily for user convenience
      • SAML WebSSO – old/mature, higher-security, still often deployed with user control over privacy
    • 16. User centricity & standards Client centric: InfoCard
      • New OASIS standard, from Microsoft
      • Card user interface model
      • Better IdP-Relying Party decoupling

    ×