Consumer identity @ Tuesday Update on 1 December 2009


Published on

Most of the slides of almost all of the 'real content' are in english, but some of the first ones are in Dutch (they set the scene)

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Belastingdienstverrewegmeestetransacties (10mln)
  • Consumer identity @ Tuesday Update on 1 December 2009

    1. 1. Consumer identity: essence, issues and next steps<br />Maarten Wegdam<br />Tuesday Update @ Spaces<br />1 December 2009<br />
    2. 2. Wiebenik? Mijnlinkedinidentiteit<br />2<br />
    3. 3. Identity en criminaliteit<br />3<br />
    4. 4. Identity en big brother<br />4<br />
    5. 5. Identity en afdwingenwetten<br />5<br />
    6. 6. Identity is irritant & duur<br />Irritant voor de gebruiker<br />Vele usernames/wachtwoorden, vele tokens<br />Wachtwoordvergeten<br />Elkekeeropnieuwregistreren<br />Duurvoor de dienstenaanbieder<br />Dure helpdesk <br />Duur token<br />Duur identity binding proces<br />Lagereconversie<br />Fraude<br />6<br />iktelde 101<br />accounts !!<br />
    7. 7. Identity en, gelukkig, ookkansen<br />7<br />[JanRain, July 2009]<br />[Burton Group, Oct 2009]<br />
    8. 8. Identity is, technischgezien,<br />identiteit = verzamelingattributen<br />Naam, BSN, adres etc<br />Rijkeprofielinformatie<br />Socialenetwerk<br />Voorpersonalisatie & security<br />8<br />
    9. 9. Identity has contradicting requirements<br />9<br />security<br />Gartner Says Consumers Are Unwilling to Sacrifice Convenience for Security, Despite Widespread Online Fraud<br />Two-Thirds of U.S. Consumers Surveyed Use the Same One or Two Passwords for All Web Sites<br />privacy<br />usability<br />EuroStat: One person in eight in the EU27 avoids e-shopping because of security concerns (Feb 2008)<br />
    10. 10. Identity is also a technology & standards issue<br />Mostly mature but evolving technology<br />E.g. phishing: is the user or the technology stupid?<br />Competing, evolving but converging standards<br />10<br />
    11. 11. This presentation<br />11<br />
    12. 12. Approach: federative model<br />12<br />user<br />Promise: easier, cheaper and better<br />Users: easier<br />Only few authentication means, no need to provide information again and again<br />Relying party: cheaper & better<br />Higher conversion, richer profile, lower costs (helpdesk, tokens), enables social web<br />relying<br />Party<br />identity<br />provider (IdP)<br />
    13. 13. Major federations in NLfor citizens & students<br />DigiD – e-government<br />For everyone with a BSN, 7 mln users<br />“Nee, tenzij”: e-government, health, pension<br />1 IdP, ~400 relying parties (2008)<br />17mln transactions, avr ~2.5 per user/year (very little!)<br />Next: STORK project to federate across EU<br />SURFfederatie – higher education<br />&gt;40 IdPs,15 relying parties<br />400k students, 50k employees, ~2000-2500 logins/day<br />Using username/password of institute<br />Also: Kennisnet Entree for non-higher education<br />13<br />
    14. 14. Key issueBusiness model<br />Business case is hard <br />Failures seem to outnumber successes<br />Example: MS Passport<br />Mostly: lack of relying parties<br />Challenges<br />Business model & <br />Market entry (chicken-egg)<br />14<br />
    15. 15. Key issue – business modelExample: Swedish BankID<br />Issued by 10 banks, since 2003<br />2 mln users, out of 6.5 mln adults<br />75% market share (competition: another bank and Telia)<br />170 service providers<br />5 mln usages per month, thus average 2.5x per user<br />Financial (~51%), government (~41%) & private (~7%)<br />Authentication<br />1.7 mln soft certificate (file), 400k smartcard<br />Different views on success or not<br />[National eID & ePassport Conference, oct 2009, Lisbon &]<br />15<br />
    16. 16. 16<br />Key issue – business model(No) governance?<br />Goal: a healthy ecosystem!<br />Decreasing regulation:<br />Government issued (Belgium eID, DigiD)<br />Government regulated (PKIOverheid, eHerkenning)<br />Market scheme ( ) <br />Free market – only a technical standard (OpenID)<br />Note: models 1 to 3 require some form of monopoly/regulator<br />
    17. 17. Key issue – business modelMarket entry<br />Too much uncertainty on business model & business case<br />Approach: jointly<br />Create market + share investments<br />Relying Parties and Identity Providers<br />With users in mind!!!<br />Alternative: paid by government …<br />Broad support still needed !!<br />17<br />
    18. 18. <ul><li>Low security, but with verified attributes
    19. 19. Initiative by ECP-EPN
    20. 20. Novay positioned to provide project lead (PoC)
    21. 21. OpenID-based
    22. 22. Status: about to start limited technical testing, extending consortium</li></ul>Dutch Consumer Identity initiatives<br />Consumer Identity for the (initial) financial sector<br />High-security<br />Initiative by Novay & DigiNotar<br />Several large financial companies indicated they’ll join<br />Status: finalizing consortium building, plan to start January 2010<br />18<br />
    23. 23. Key issuePrivacy!!<br />Efficient identity solution -> Big Brother?<br />Principles are more or less clear:<br />Privacy-by-design, minimal disclosure, pseudonyms, revocable privacy, 7 laws of identity etc<br />Trade-off privacy & functionality will remain!<br />User controlled privacy: empower user to personalize what information they share!!!<br />19<br />
    24. 24. This presentation<br />20<br />
    25. 25. 21<br />Next stepUser centric identity<br />IdPs trust privacy relying parties authentication <br />Empower the user to control his/her identity!<br />
    26. 26. Next step – user centric identityWhy & how<br />22<br />Why: legal, ethical, user acceptance<br />Personalized privacy<br />One size does not fit all <br />Privacy attitude surveys:<br />fundamentalist (25%)<br />concerned (50%)<br />unconcerned (25%)<br />How: insight & control<br />
    27. 27. 23<br />Next step – user centric identityBeyond consent<br />Informed consent: users need to understand!<br />contrary to: discouraging, blaming or scaring them <br />Users need to be re-assured what happens<br />with their data<br />but no proper solutions yet …<br />
    28. 28. 24<br />IdPs trust privacy relying parties authentication <br />Next stepMobile centric identity<br />User centric implies mobile centric:<br />Mobile is the most personal device user has<br />User always have mobile with them<br />
    29. 29. 25<br />
    30. 30. 26<br />Next step - mobile centric identity Authentication means<br />“something you have” (& “something you know”)<br />Leverage SIM card as secure/trusted hardware<br />Note: owned by operator<br />SMS one-time-password<br />OTP generator application (e.g. VeriSign iPhone)<br />OTP generator application on SIM card<br />GAA/GBA (3GPP)<br />Mobile (Wireless) PKI (on SIM card)<br />
    31. 31. Five take-aways consumer identity<br />Everyone benefits from a federated model<br />Business model and privacy are the key issues!<br />Achieve market entry through joint effort, and select right type of governance<br />User centric identity is here to stay<br />Mobile centric identity is the future<br />27<br />
    32. 32. Comments, opinions, questions?<br />28<br />blog:<br />
    33. 33. backup<br />29<br />
    34. 34. Sectoren en voorbeelden in NL<br />30<br /><br />C2G<br />C2B<br />intra<br />organization<br />B2G<br />B2B<br />Digitaal Paspoort (Sivi)<br />eHerkenning<br />
    35. 35. 31<br />SAML<br />OpenID<br />closed trust model<br />simplicity and scalability <br />over security<br />client<br />less<br />“old” and much used<br />“new” and hype<br />enables user<br />centric<br /> identity<br />IdP discovery<br />features<br />integrates with<br />web services<br />InfoCard<br />anti-phishing & IdP-RP unlinkability<br />client centered<br />“very new” and promising<br />Comparison<br />[inspired by Venn of Identity by Eve Maler]<br />
    36. 36. 32<br />Next step - mobile centric identity Identity for mobile applications<br />User pain is bigger on mobiles<br />user input of username etc is much harder<br />Support lacking but improving<br />User interface challenge<br />Diversity challenge<br />Browsers lack extensibility features<br />No readers (yet …)<br />Synchronization with ‘fixed’ identity is issue<br />
    37. 37. 33<br />https://webmail.infocard.demo<br />698724<br />Next step - mobile centric identity Control your identity from your mobile<br />Mobile as a trusted and personal ‘control center’<br />Including your ‘fixed’ identity<br />Ongoing research …<br />
    38. 38. Privacy attitude<br />34<br />concerned<br />unconcerned<br />fundementalist<br />