User & Mobile Centric Identity


Published on

Presentation for the National eID & ePassport Conference, 22-23 October 2009, Lisbon

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • relying party is also called service provider
  • Generic Bootstrapping Architecture (GBA ) or Generic Authentication Architecture (GAA).
  • User & Mobile Centric Identity

    1. 1. The trend towards user and mobile centric identity Maarten Wegdam Novay (formerly Telematica Instituut) National eID & ePassport Conference 22 October 2009
    2. 2. Who am I? <ul><li>Maarten Wegdam </li></ul><ul><ul><li>Senior researcher @ Novay ( /en ) </li></ul></ul><ul><ul><li>Coordinator of identity, privacy & trust </li></ul></ul><ul><ul><li>MSc, PhD in Computer Science </li></ul></ul><ul><li>Novay - formerly Telematica Instituut </li></ul><ul><ul><li>independent ICT research institute in the Netherlands </li></ul></ul><ul><ul><li>multi-disciplinary, ~100 people </li></ul></ul><ul><ul><li>innovative projects for companies & government </li></ul></ul>
    3. 3. Identity (federation) – the basics <ul><li>Identity = set of attributes </li></ul><ul><ul><li>id number, name, address etc </li></ul></ul><ul><li>Requires trust between all three parties!!! </li></ul>identity provider (IdP) user relying party uses service authenticates with e.g. an eID relies on IdP for identity
    4. 4. User centric identity The idea <ul><li>User brings his or her identity </li></ul><ul><li>Reasons: legal, ethical, user acceptance </li></ul><ul><li>For e-government, and certainly for private sector </li></ul><ul><li>Personalized privacy </li></ul><ul><ul><li>privacy attitude: fundamentalist, concerned, unconcerned </li></ul></ul><ul><ul><li>depends on: trust , privacy sensitivity & goal </li></ul></ul>IdPs trust privacy relying parties authentication Empower the user to control his/her identity!
    5. 5. User centric identity – how? <ul><li>Give users insight </li></ul><ul><ul><li>what is shared, with who </li></ul></ul><ul><li>Give users control </li></ul><ul><ul><li>consent, per attribute </li></ul></ul><ul><li>Decoupling Identity Provider and Relying Party </li></ul>
    6. 6. User centricity is difficult: many trade-offs <ul><li>How much control </li></ul><ul><li>Don’t bother the user too much </li></ul><ul><li>‘ Easy’ </li></ul><ul><li>Accommodate for different types of users </li></ul><ul><li>Decoupling IdP & Relying Party is difficult </li></ul><ul><li>Reduce needed trust in Identity Provider </li></ul><ul><li>No user client </li></ul><ul><li>Business model </li></ul><ul><li>Use standards!!! for interoperability </li></ul><ul><ul><li>identity federation standards (SAML, InfoCard, OpenID) </li></ul></ul>
    7. 7. User centric identity Beyond consent <ul><li>Consent is not enough … </li></ul><ul><li>Informed consent : users need to understand! </li></ul><ul><ul><li>contrary to: discouraging, blaming or scaring them </li></ul></ul><ul><ul><li>question is: how much and how to minimize this </li></ul></ul><ul><ul><li>EDUCATING!!! </li></ul></ul><ul><li>Users need to be re-assured what happens with their data </li></ul><ul><ul><li>no proper solutions (yet) </li></ul></ul>
    8. 8. Mobile centric identity <ul><li>Mobile as authentication means </li></ul><ul><li>Identity for mobile applications </li></ul><ul><li>To control your identity </li></ul><ul><li>User centric implies mobile centric: </li></ul><ul><li>Mobile is the most personal device user has </li></ul><ul><li>User always have mobile with them </li></ul>IdPs trust privacy relying parties authentication
    9. 9. Mobile as authentication means <ul><li>One authentication token!!! </li></ul><ul><ul><li>“ something you have” (& “something you know”) </li></ul></ul><ul><li>Leverage SIM card as secure/trusted hardware </li></ul><ul><ul><li>Be aware: owned by operator </li></ul></ul><ul><li>SMS one-time-password </li></ul><ul><li>OTP generator application (e.g. VeriSign iPhone) </li></ul><ul><li>OTP generator application on SIM card </li></ul><ul><li>GAA/GBA (3GPP) </li></ul><ul><li>Mobile (Wireless) PKI (on SIM card) </li></ul>
    10. 10. Identity for mobile applications <ul><li>User pain is bigger on mobiles </li></ul><ul><ul><li>user input of username etc is much harder </li></ul></ul><ul><li>Support lacking but improving </li></ul><ul><ul><li>User interface challenge </li></ul></ul><ul><ul><li>Diversity challenge </li></ul></ul><ul><ul><li>Browsers lack extensibility features </li></ul></ul><ul><ul><li>No readers (yet …) </li></ul></ul><ul><ul><li>Synchronization with ‘fixed’ identity is issue </li></ul></ul>
    11. 11. Control your identity from your mobile <ul><li>Mobile as a trusted and personal ‘control center’ </li></ul><ul><li>Including your ‘fixed’ identity </li></ul><ul><li>Ongoing research … </li></ul>https://webmail.infocard.demo 698724
    12. 12. Key take-aways <ul><li>User centricity is ‘must have’ for identity infrastructures </li></ul><ul><ul><li>personalize the privacy </li></ul></ul><ul><ul><li>requires users to understand this! </li></ul></ul><ul><li>User centric implies mobile centric </li></ul><ul><ul><li>Mobile for authentication is only step one </li></ul></ul>More information: [email_address] blog: IdPs trust privacy relying parties authentication
    13. 13. backup slides
    14. 14. User centricity & standards Browser-based: OpenID & SAML <ul><li>Client less, ‘redirect based’ </li></ul><ul><li>Variation in amount of control! </li></ul>
    15. 15. User centricity & standards Browser-based: OpenID & SAML <ul><li>Client less, ‘redirect based’ </li></ul><ul><li>Variation in amount of control! </li></ul><ul><li>OpenID – hyped for consumer internet, simple, low-security, primarily for user convenience </li></ul><ul><li>SAML WebSSO – old/mature, higher-security, still often deployed with user control over privacy </li></ul>
    16. 16. User centricity & standards Client centric: InfoCard <ul><li>New OASIS standard, from Microsoft </li></ul><ul><li>Card user interface model </li></ul><ul><li>Better IdP-Relying Party decoupling </li></ul>