6. Identity is irritant & duur Irritant voor de gebruiker Vele usernames/wachtwoorden, vele tokens Wachtwoordvergeten Elkekeeropnieuwregistreren Duurvoor de dienstenaanbieder Dure helpdesk Duur token Duur identity binding proces Lagereconversie Fraude 6 iktelde 101 accounts !!
9. Identity has contradicting requirements 9 security Gartner Says Consumers Are Unwilling to Sacrifice Convenience for Security, Despite Widespread Online Fraud Two-Thirds of U.S. Consumers Surveyed Use the Same One or Two Passwords for All Web Sites privacy usability EuroStat: One person in eight in the EU27 avoids e-shopping because of security concerns (Feb 2008)
10. Identity is also a technology & standards issue Mostly mature but evolving technology E.g. phishing: is the user or the technology stupid? Competing, evolving but converging standards 10
12. Approach: federative model 12 user Promise: easier, cheaper and better Users: easier Only few authentication means, no need to provide information again and again Relying party: cheaper & better Higher conversion, richer profile, lower costs (helpdesk, tokens), enables social web relying Party identity provider (IdP)
13. Major federations in NLfor citizens & students DigiD – e-government For everyone with a BSN, 7 mln users “Nee, tenzij”: e-government, health, pension 1 IdP, ~400 relying parties (2008) 17mln transactions, avr ~2.5 per user/year (very little!) Next: STORK project to federate across EU SURFfederatie – higher education >40 IdPs,15 relying parties 400k students, 50k employees, ~2000-2500 logins/day Using username/password of institute Also: Kennisnet Entree for non-higher education 13
14. Key issueBusiness model Business case is hard Failures seem to outnumber successes Example: MS Passport Mostly: lack of relying parties Challenges Business model & Market entry (chicken-egg) 14
15. Key issue – business modelExample: Swedish BankID Issued by 10 banks, since 2003 2 mln users, out of 6.5 mln adults 75% market share (competition: another bank and Telia) 170 service providers 5 mln usages per month, thus average 2.5x per user Financial (~51%), government (~41%) & private (~7%) Authentication 1.7 mln soft certificate (file), 400k smartcard Different views on success or not [National eID & ePassport Conference, oct 2009, Lisbon & www.bankid.com] 15
16. 16 Key issue – business model(No) governance? Goal: a healthy ecosystem! Decreasing regulation: Government issued (Belgium eID, DigiD) Government regulated (PKIOverheid, eHerkenning) Market scheme ( ) Free market – only a technical standard (OpenID) Note: models 1 to 3 require some form of monopoly/regulator
17. Key issue – business modelMarket entry Too much uncertainty on business model & business case Approach: jointly Create market + share investments Relying Parties and Identity Providers With users in mind!!! Alternative: paid by government … Broad support still needed !! 17
22. Status: about to start limited technical testing, extending consortiumDutch Consumer Identity initiatives Consumer Identity for the (initial) financial sector High-security Initiative by Novay & DigiNotar Several large financial companies indicated they’ll join Status: finalizing consortium building, plan to start January 2010 18
23. Key issuePrivacy!! Efficient identity solution -> Big Brother? Principles are more or less clear: Privacy-by-design, minimal disclosure, pseudonyms, revocable privacy, 7 laws of identity etc Trade-off privacy & functionality will remain! User controlled privacy: empower user to personalize what information they share!!! 19
25. 21 Next stepUser centric identity IdPs trust privacy relying parties authentication Empower the user to control his/her identity!
26. Next step – user centric identityWhy & how 22 Why: legal, ethical, user acceptance Personalized privacy One size does not fit all Privacy attitude surveys: fundamentalist (25%) concerned (50%) unconcerned (25%) How: insight & control
27. 23 Next step – user centric identityBeyond consent Informed consent: users need to understand! contrary to: discouraging, blaming or scaring them Users need to be re-assured what happens with their data but no proper solutions yet …
28. 24 IdPs trust privacy relying parties authentication Next stepMobile centric identity User centric implies mobile centric: Mobile is the most personal device user has User always have mobile with them
30. 26 Next step - mobile centric identity Authentication means “something you have” (& “something you know”) Leverage SIM card as secure/trusted hardware Note: owned by operator SMS one-time-password OTP generator application (e.g. VeriSign iPhone) OTP generator application on SIM card GAA/GBA (3GPP) Mobile (Wireless) PKI (on SIM card)
31. Five take-aways consumer identity Everyone benefits from a federated model Business model and privacy are the key issues! Achieve market entry through joint effort, and select right type of governance User centric identity is here to stay Mobile centric identity is the future 27
34. Sectoren en voorbeelden in NL 30 OpenID.nl+ C2G C2B intra organization B2G B2B Digitaal Paspoort (Sivi) eHerkenning
35. 31 SAML OpenID closed trust model simplicity and scalability over security client less “old” and much used “new” and hype enables user centric identity IdP discovery features integrates with web services InfoCard anti-phishing & IdP-RP unlinkability client centered “very new” and promising Comparison [inspired by Venn of Identity by Eve Maler]
36. 32 Next step - mobile centric identity Identity for mobile applications User pain is bigger on mobiles user input of username etc is much harder Support lacking but improving User interface challenge Diversity challenge Browsers lack extensibility features No readers (yet …) Synchronization with ‘fixed’ identity is issue
37. 33 https://webmail.infocard.demo 698724 Next step - mobile centric identity Control your identity from your mobile Mobile as a trusted and personal ‘control center’ Including your ‘fixed’ identity Ongoing research …