Consumer and Citizen Identities: Government Issued or Trust Frameworks?Maarten Wegdam, Novay
European Identity Conference 201112 May 2011, Munich
Novay?
• Independent Dutch ICT research institute• Formerly Telematica Instituut• “People driven, ICT empowered”• ~55 researchers, multi-disciplinary• Innovation projects• Including financial sector, government and semi-
government
2
Old problem
3
[New Yorker cartoon by Peter Steiner]
What to expect?
• Re-usable identities are the way to go
• Government vs trust framework: they co-exist
• Banks and government are key
• Convincing relying parties: needed and hard work
4
Identity in the offline world
5
And online?
6
Id theft Avoidable costsLost revenues (?)
Frustrated users Privacy/control issues
Solution: re-usable identities
7
(One or) a few trusted identities
Of course: secure & trusted
Of course: user controlled, privacy sensitive
Trust in an identity
8
Authenticationmeans
Identity binding
Level of Assurance
Challenges for trusted re-usable identities
9
lack of trust in Id Provider
privacy issues
market entry
issues
The big choice: government or market as identity provider
• Government – as in offline world
• Market – as phone, internet access, email etc
10
• Government – as in offline world
• Market – as phone, internet access, email etc
• Some form of controlled market
The big choice: government or market as identity provider
11
12
Decreasing (government) control
Note: models 1 to 3 require some form of monopoly or regulator
Government issued
Government regulated
Trust framework
Free market (tech standard)
To have more trust and a healthy ecosystem• A fair business model• New identity providers can join• Easy access for relying parties (scalability)• Balancing interests between players• Privacy assurances• Governance / audits• Support one or more levels of assurance
13
Identity trust framework = a set of rules that all players agree upon
Success criteria C2B/C2G identity
• Frequent use of eID essential
• For private AND public services (C2B & C2G)
• Bank involvement seems key
• Government governance required
• Easy entrance for relying parties
• Ease of use for end-users
• High (100%?) user penetration needed[based on use cases study in DK,BE.DE,NO,SE,EE,US in 2010]
14
15
Easier market entry• 100% user coverage• gov as relying partyClearer bus modelNeutral brandingPrivacy of Relying party
Innovation ‘friendlier’User choiceInternational is easier (?)Benefits of competition …Re-use existing identities
Trust: cultural?User privacy: one big brother or several medium brothers?
Government issued eID Identity trust framework
use-case: trusted and re-usable consumer identity in NL
16
ConsortiumFinancial sectorVision on trust frameworkFeasibility
vision on trust framework
• Business model – users should not pay (directly)• Business case – re-use existing identities• Very easy for relying parties to connect• Several levels of assurance – ‘mid’ trust and up• Mobile – from the start• Privacy – state-of-the-art and consent• Government needed for trust (link to eRecognition)
17
: my lessons learned
• High-level mngt in financial industry do not understand nerdy terms like trust frameworks
• Government needs to be ‘predictable’ !!!• Relying parties: so they don’t wait for gov• Identity providers: trust & no competition
• Re-use existing & trusted: you need (all ?) banks as identity providers
• not core business, there are risks, and unclear business case ...
18
My 2 cents for relying parties
• Re-use identities from others when you can• Heterogeneity - no 1-identity-to-rule-them all, accept
heterogeneity as inevitable• Stimulate trust frameworks - it is in your interest to
reduce heterogeneity without introducing a monopoly• Architect your identity system to accept different
levels of assurance, from different parties
• If you have customers from only one nation, can wait a couple of years and live in a government-issued C2B eID country: things may be simpler.
19
5 things to keep an eye on
1. Will social login (Facebook etc) become more trustworthy?
2. Will domain-specific trust frameworks expand, e.g. higher education?
3. Are four levels-of-assurance (trust levels) really needed? Will users understand?
4. What is the value of an authentication for a relying party? (BankID is pretty cheap …)
5. Are trust frameworks also about trusting the relying parties?
20
Take aways
• Re-usable identities are the way to go• If both C2B and C2G: easier market entry, cheaper
• Government vs trust framework: they co-exist• Privacy, political, legacy, legislation are factors
• Banks and government are key• Market penetration as identity providers
• Killer apps as relying parties
• Trust
• Convincing relying parties: needed and hard work
21
More information:[email protected] http://maarten.wegdam.name