SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
Consumer and Citizen Identities: Government Issued or Trust Frameworks? (European Identity Conference 2011)
Consumer and Citizen Identities: Government Issued or Trust Frameworks? (European Identity Conference 2011)
1.
Consumer and Citizen Identities:
Government Issued or Trust Frameworks?
Maarten Wegdam, Novay
European Identity Conference 2011
12 May 2011, Munich
2.
Novay?
• Independent Dutch ICT research institute
• Formerly Telematica Instituut
• “People driven, ICT empowered”
• ~55 researchers, multi-disciplinary
• Innovation projects
• Including financial sector, government and semi-
government
2
3.
Old problem
[New Yorker cartoon by Peter Steiner]
3
4.
What to expect?
• Re-usable identities are the way to go
• Government vs trust framework: they co-exist
• Banks and government are key
• Convincing relying parties: needed and hard work
4
6.
And online?
Id theft Avoidable costs
Lost revenues (?)
Frustrated users Privacy/control
6
issues
7.
Solution: re-usable identities
(One or) a few trusted identities
Of course: secure & trusted
Of course: user controlled, privacy
sensitive
7
8.
Trust in an identity
Authentication Identity Level of
means binding Assurance
8
9.
Challenges for trusted re-usable identities
lack of privacy market
trust in Id issues entry
Provider issues
9
10.
The big choice: government or
market as identity provider
• Government – as in offline world
• Market – as phone, internet access, email etc
10
11.
The big choice: government or
market as identity provider
• Government – as in offline world
• Market – as phone, internet access, email etc
• Some form of controlled market
11
12.
Decreasing (government) control
Government issued
Government regulated
Trust framework
Free market (tech standard)
Note: models 1 to 3 require some form of
monopoly or regulator
12
13.
Identity trust framework = a set of rules
that all players agree upon
To have more trust and a healthy ecosystem
• A fair business model
• New identity providers can join
• Easy access for relying parties (scalability)
• Balancing interests between players
• Privacy assurances
• Governance / audits
• Support one or more levels of assurance
13
14.
Success criteria C2B/C2G identity
• Frequent use of eID essential
• For private AND public services (C2B & C2G)
• Bank involvement seems key
• Government governance required
• Easy entrance for relying parties
• Ease of use for end-users
• High (100%?) user penetration needed
[based on use cases study in DK,BE.DE,NO,SE,EE,US in 2010]
14
15.
Government issued eID Identity trust framework
Easier market entry Innovation ‘friendlier’
• 100% user coverage User choice
• gov as relying party International is easier (?)
Clearer bus model Benefits of competition …
Neutral branding Re-use existing identities
Privacy of Relying party
Trust: cultural?
User privacy: one big brother or several medium brothers?
15
16.
use-case:
trusted and re-usable consumer identity in NL
Consortium
Financial sector
Vision on trust framework
Feasibility
16
17.
vision on trust framework
• Business model – users should not pay (directly)
• Business case – re-use existing identities
• Very easy for relying parties to connect
• Several levels of assurance – ‘mid’ trust and up
• Mobile – from the start
• Privacy – state-of-the-art and consent
• Government needed for trust (link to eRecognition)
17
18.
: my lessons learned
• High-level mngt in financial industry do not
understand nerdy terms like trust frameworks
• Government needs to be ‘predictable’ !!!
• Relying parties: so they don’t wait for gov
• Identity providers: trust & no competition
• Re-use existing & trusted: you need (all ?)
banks as identity providers
• not core business, there are risks, and unclear
business case ...
18
19.
My 2 cents for relying parties
• Re-use identities from others when you can
• Heterogeneity - no 1-identity-to-rule-them all, accept
heterogeneity as inevitable
• Stimulate trust frameworks - it is in your interest to
reduce heterogeneity without introducing a monopoly
• Architect your identity system to accept different
levels of assurance, from different parties
• If you have customers from only one nation, can wait
a couple of years and live in a government-issued
C2B eID country: things may be simpler.
19
20.
5 things to keep an eye on
1. Will social login (Facebook etc) become more
trustworthy?
2. Will domain-specific trust frameworks expand, e.g.
higher education?
3. Are four levels-of-assurance (trust levels) really
needed? Will users understand?
4. What is the value of an authentication for a relying
party? (BankID is pretty cheap …)
5. Are trust frameworks also about trusting the relying
parties?
20
21.
Take aways
• Re-usable identities are the way to go
• If both C2B and C2G: easier market entry, cheaper
• Government vs trust framework: they co-exist
• Privacy, political, legacy, legislation are factors
• Banks and government are key
• Market penetration as identity providers
• Killer apps as relying parties
• Trust
• Convincing relying parties: needed and hard work
More information:
maarten.wegdam@novay.nl http://maarten.wegdam.name
21