We did a very interesting  project for a large Dutch bank (Rabobank) and IBM to determine the usefulness and feasibility of Context-enhanced Authorization in the banking sector. We focussed here on employees, and taking their context (location, used device etc) into account for authorization decisions. This would allow the authorization to become more dynamic, and address new trends such as nomadic working (Dutch: Het Nieuwe Werken) and Bring Your Own Device.  An important technology in this project was XACML, for which we used IBM’s tooling (Tivoli Security Policy Manager).  In short the outcome was yes it is useful and yes it is feasible.

Today I presented the project at a XACML seminar, organized by PIMN, CSA, PvIB and SURFnet. I repeat the key take-aways here:

• Centralization – take authorization out of the application (cf authentication)
• Use attributes (ABAC), XACML is the standard to do this multi-vendor and across domains
• Our pilot: use dynamic attributes (i.e., context)
• Yes it is useful, yes it is feasible
• But w.r.t. context: authenticity, quality & privacy
• But w.r.t. dynamic attributes / XACML: complexity of policies & scalability/performance

More information can be found in my presentation. We also described (most of) the project in a public whitepaper, and even made small video (2:39’, credits go to my colleague Ruud Kosman).  I also copied the management summary of the whitepaper below for convenience.

Management Summary

Context-enhanced authorization is about knowing when and where users are, what they are doing, which device they are using etcetera, and using this information as a parameter in authorization decisions. A sector which could benefit from this is the banking sector. There is an increasing need for banks to be deal with security in a more flexible way, for instance in order to enable nomadic working and the usage of less secure devices (tablets, smart phones, bring-your-own-device). Banking employees need to be able to perform transactions with a high security risk from different locations (home, office, at a customer etc.), at different times of the day, and from different devices. This brings with it new risks that may be mitigated by context-enhanced authorization. The promise of context-enhanced authorization is that by making this context explicit in authorization rules the flexibility increases without reducing security. Implementing context-enhanced authorization is also facilitated by the wide-spread introduction of mobile devices, which makes more context information available, and the adoption of (logically) centralized authorization systems.

This whitepaper provides the outcome of a feasibility study of implementing context-enhanced authorization for bank employees. An important part of this study was a demonstrator based on the XACML policy language, which enables centralized authorization policies. The whitepaper also provides a context model, criteria for usefulness of context for authorization and use cases for context-enhanced authorization for bank employees.

The main conclusion of the feasibility study is that context has indeed the potential to make authorization more flexible, and that it is possible to use XACML tooling to implement this. Relevant and practical context types, for now, are location, time, and information that can be derived from context. There are however non-trivial issues that have to be dealt with, especially:

• Authenticity of context – Depending on the context source, context can easily be falsified, e.g., when the context owner is the potential attacker. Context should be from trusted context sources if possible. In all cases, when designing context-enhanced policies, the authenticity of the context has to be carefully taken into account. For example, location information from an employer-owned WiFi network is typically more useful than location information originating from a smartphone.
• Quality of context – Context is known with a certain amount of “vagueness”, this is called Quality of Context, due to technical limitation of context sensors. For example, an employee is never a 100% certain at home, but may be 95% certain within a 50 meter radius at his or her home. This vagueness further adds to the complexity of context-enhanced policies.
• Privacy – Context information is often privacy sensitive information, e.g., location. The privacy risks have to outweigh the benefits of context-enhanced authorization. An issue for, among others, using context-enhanced authorization for banking employees is that they benefits may be more with the employer, and the privacy risks with the employee. There is also no generic answer if the benefits outweigh the privacy risks, this basically depends on the used context (how privacy sensitive is it), and what the actual benefits are in a specific case. The privacy implications were not explored in any detail within the scope of this study, but should be in potential follow-ups, This should include both legal aspects (e.g., role of works council, can informed consent play a role), technical (e.g. privacy-by-design) and user acceptance (e.g., do employees see benefits, what context information is sensitive).
• Complexity of context-aware policies – Adding context parameters to policies makes them more complex. The use cases and demonstrator show that fine-grained policies are possible, but this finer level of granularity also means that it may become harder to ensure that the produced policies are complete, safe, and conflict-free.

Scalability and performance – Context information is different from the usual static information on which today’s access policies are based (the identity of the user, the role of the user within the organization): context information is only relevant when processed in (near) real-time, and there is much more context information (in terms of amounts of data). This requires careful design of the collection of context, and puts much more stress on policy evaluation engines.

The Dutch Banking Association (NVB) published new internet banking fraud numbers yesterday. Compared to their numbers about half a year ago, there is a very significant increase in amount of damage. Previous numbers indicated a factor of two for 2011 compared to 2010, but apparently the fraud further increased in the second half of 2011, resulting in a factor of 3.5 increase. The total damage is now also adding up to €35M. Although NVB is correct is stating this is relatively not a lot (0.001% of total internetbanking volume), €35M is still €35M. Note that this amount is what they reimbursed to customers that were a victim of internet banking fraud (i.e. phishing). Costs associated with prevention, detection etc are not part of this amount.

What worries me most is the relative increase of these numbers, from 2009 to 2010 the damages increased fivefold, and from 2010 to 2011 they increased by a factor of 3.5. Playing with these numbers, damages in 2012 could be €70M (if the banks manage to slow down the increase to a factor of 2) or €122M if it stays a factor of 3.5. Banks, of course together with police, (Electronic Crimes Taskforce etc), will need to slow down this growth.

The shortest summary is the same as the title of this blog post: we consider this guide a first good step to establish a best practice for classifying e-service to Levels of Assurance. We however also discuss some limitation and possible extentions.

This blog post was written jointly with my colleague (and editor of the STORK deliverable that defines the STORK levels) Bob Hulsebosch. It is also posted at the Novay website. For non-Dutch speakers, try Google translate.

Handreiking betrouwbaarheidsniveaus voor overheidsdiensten: een nuttige eerste stap

Door Bob Hulsebosch en Maarten Wegdam

Het Forum Standaardisatie, i.s.m. eHerkenning, is eind vorig jaar gekomen met eenhandreiking betrouwbaarheidsniveaus voor elektronische overheidsdiensten. Het gaat hierom om de betrouwbaarheid van de authenticatie waarmee iemand toegang krijgt tot die diensten. Het gaat meestal om vier niveaus, en wordt in Nederland onder meer gebruikt door eHerkenning (business-2-government afsprakelstelsel). In Europa gebruikt men vaak de in het Europese STORK project gedefinieerde Quality Authentication Assurance levels. Deze zijn, met Novay als auteur namens MinBZK, in 2009 vastgelegd en zijn gebaseerd op de Levels of Assurance standaard van NIST (SP 800-63). Bovenstaande standaarden leggen vast hoe een authenticatie-oplossing te classificeren op een betrouwbaarheidsniveau. Echter hoe te bepalen welke betrouwbaarheidsniveau nodig is voor een dienst bleef onderbelicht. Bovengenoemde handreiking voor betrouwbaarheidsniveaus moet juist hierin voorzien, en dus e-dienstverleners in de overheidssector helpen om te bepalen welk betrouwbaarheidsniveau nodig is voor hun dienst. In deze blogpost geven we ons beeld over deze materie.

Introductie betrouwbaarheidsniveaus

Om de betrouwbaarheid van een authenticatie-oplossing en daarmee de identiteit van de gebruiker te bepalen worden zowel technische (bv smartcard is veiliger dan gebruikersnaam/wachtwoord) als organisatorische (bv online aanvragen van het middel of fysiek komen afhalen) aspecten meegenomen.

Het concept van betrouwbaarheidsniveaus wint de laatste jaren sterk aan populariteit omdat het hergebruik van identiteiten van andere partijen kan faciliteren. Als een dienstverlener een identiteit wil hergebruiken die een gebruiker heeft gekregen van een andere partij (de identity provider), is het immers wel nodig op een gestandaardiseerde manier de benodigde betrouwbaarheid aan te geven (interoperabiliteit), zeker als er potentieel vele externe identity providers zijn (schaalbaarheid). Een dienstverlener moet kunnen specificeren welk betrouwbaarheidsniveau nodig is, en moet dit kunnen doen zonder allerlei implementatiedetails te verschaffen.

Kortom, gestandaardiseerde betrouwbaarheidsniveaus dragen bij aan interoperabiliteit en schaalbaarheid bij met name hergebruik van identiteiten. Dit standaardiseren is overigens niet triviaal, immers technologie ontwikkelt zich en er zitten altijd grijze zones in het classificeren van een specifieke oplossing. Bijvoorbeeld, de interpretaties verschillen of DigiD basisovereenkomt met STORK niveau 1 of 2. Andere beperkingen zijn dat het indelen een (typisch) vier discrete niveaus ten kosten gaat van een stuk nuance, en dat het onduidelijk kan zijn of externe identity providers wel conform het betrouwbaarheidsniveau handelen (audits zijn niet zaligmakend, zoals het DigiNotar drama ons weer geleerd heeft). Ook gaat een afweging welke authenticatie-oplossing te gebruiken verder dan de betrouwbaarheid; met name kosten en gebruikersvriendelijkheid zijn aspecten die ook meegenomen dienen te worden.

Wat voegt de handreiking toe?

Voor een dienstverlener die externe identiteiten wil gaan afnemen helpen de bovenstaande criteria eigenlijk weinig bij de afweging welk niveau vereist is voor een specifieke dienst. De handreiking vult hier de NIST/STORK standaarden aan, door risicogevoelige criteria te bieden voor overheidsdiensten om te bepalen welk niveau nodig is: rechtsgevoeligheid, formele vereisten, opgeven van persoonsgegevens, tonen van persoonsgegevens, verwerking van BSN, juistheid van de gegevens, economisch belang en publiek belang. Je zou het kunnen zien als een menukaart voor een snelle risico-inschatting van een specifieke dienst. Neem bijvoorbeeld het criterium economisch belang: bij een gering belang (~€1000) dan voldoet niveau 2, bij gemiddeld belang (~€10.000) voldoet niveau 3 en bij groot belang (> €10.000) is niveau 4 nodig. Eventuele compenserende maatregelen (correctie factoren)  worden beschreven om een keuze voor een lager (of hoger) betrouwbaarheidsniveau te verantwoorden, bijvoorbeeld als er terugkoppeling plaatsvindt door middel van een bevestigingsbrief kan een lager niveau volstaan.

Aangezien wij vergelijkbare inschattingen hebben gemaakt de afgelopen tijd bij diverse klanten (geen overheidspartijen overigens), en gezien ons STORK verleden, hebben wij de handreiking met belangstelling gelezen. Het gaat te ver voor een blog post om op details op de criteria in te gaan, maar we kunnen wel zeggen dat we geen ‘rare dingen’ zagen. De risicogevoelige criteria komen ook redelijk overeen met de door de Amerikaanse overheid geadviseerde criteria (uit 2003! hier, en met een recente revisie). De Amerikanen beschouwen het toekennen van betrouwbaarheidsniveaus in een breder, procesmatig geheel waarbij, naast een risico-analyse en mapping op betrouwbaarheidsniveaus, ook oog is voor de evaluatie hiervan en het selecteren van een authenticatie-oplossing. Een dergelijke procesmatige aanpak is van meerwaarde voor de e-dienstverlener.

Hieronder wat andere kanttekeningen en aanvullingen op de handreiking, op hoog niveau:

• E-Overheid specifiek – de criteria zijn opgesteld voor (Nederlandse) overheidsdienstverleners, en zijn voor een significant deel niet van toepassing voor private dienstverleners. Voor het stimuleren van business-2-business eHerkenning lijkt ons een aanpaste versie van de handreiking nodig. Bijvoorbeeld de criteria “verwerking van BSN” en “publiek belang”.
• Motivatie – een expliciete motivatie voor de criteria ontbreekt, en sommige keuzes zou je ook anders kunnen maken. Mogelijk reflecteert het consensus van een brede groep experts uit het overheidsdomein, dat is ons niet helder. Nuancering hierbij is dat in de praktijk zal blijken dat een dienst voor verschillende criteria op verschillende niveaus uitkomt, het blijft dan zoals de titel ook zegt een handreiking.
• Machtigingen en machine-2-machine – deze zijn out-of-scope voor de handreiking maar wel erg relevant naar onze mening zijn hoe met betrouwbaarheidsniveaus om te gaan bij machtigingen en machine-2-machine interacties.
• Risico en kans – de handreiking gaat grotendeels voorbij aan de voor een risicoanalyse veel gebruikte methode waarbij nader benoemde risico’s worden gekwantificeerd door het bepalen van de kans dat een dreiging zich voordoet en de gevolgen daarvan: Risico = Kans x Gevolg. Eigenlijk wordt alleen met het gevolg rekening gehouden.
• Kosten en eHerkenning specifiek – de handreiking gaat niet in op kosten en gebruikersaspecten. Dit is in de context van eHerkenning ook mogelijk minder relevant, immers een overheidsdienstverlener heeft hier toch geen directe verantwoordelijkheid voor, en draagt de kosten ook niet. Wel is het belangrijk te realiseren dat de keuze voor een (te) hoog niveau ten koste kan gaan van het gebruik van de dienst – niet iedere gebruiker zal de kosten willen dragen voor een sterk authenticatiemiddel en gebrek aan gebruiksgemak zal leiden tot minder gebruik van de dienst.

Conclusie

De handreiking is een goede eerste stap om tot een best practice te komen hoe overheidsdienstverleners hun dienst kunnen indelen naar betrouwbaarheidsniveaus. Ook uit eigen ervaring weten we dat er behoefte is aan meer houvast hierin. De volgende stap lijkt ons om het door middel van cases te gaan beproeven, en ervaringen en ontwikkelingen terug te voeren naar de criteria. Verder zou het interessant zijn een analyse te doen hoe buitenlandse overheden hiermee om gaan, en waar de verschillen zitten.

UPDATE 23 feb 2012: de handreiking is verschenen in een ‘mooiere’ versie.

Looking back at 2011: what was new, and what could have been

With 2011 almost over, the question IDentity.News had for me was to look back to 2011 what were new developments in the area of digital identity. Since I’m in the business of innovation, looking forward is more in my DNA than looking back. And so a little out of my comfort zone, below three major new developments of 2011, and, also, three developments that did not happen in 2011.

1. Trust frameworks- in the US (e.g. NSTIC, OIX), in NL (e.g. eHerkenning) and elsewhere trust frameworks as a way to ensure a fair and trusted ecosystem to provide identity-related services are catching on. Experience with large scale deployment is still limited though. I guess we just have to do and learn. And the alternative for trust frameworks (i.e. government issued identities) also stays popular (e.g., the new German ID card, the Dutch DigiD/eNIK).

2. Cloud and identity-as-a-service– it seems impossible for a self-respecting event in the area of identity not to spend significant time on the combination of cloud and identity. And something similar seems to apply to identity experts J. There is also progress here; especially commercial offerings of identity-as-a-service have been progressing. On making the cloud identity-enabled, things have developed slower than I would have expected a year ago. Although I guess everyone (?) agrees that companies want to have centralized authentication, authorization and provisioning (efficiency, control etc), adoption of standards is still too limited, which is at least part of the reason this is going slow.

3. DigiNotar (and other security fiasco’s in the identity area) – while a disaster for DigiNotar and potentially a huge disaster for an unknown number of Iranians, there is actually a bright side. It resulted in more attention at ‘higher levels in organizations’ for information security and identity. And I’m sure many security consultants had sufficient work in second half of 2011. The downside of this attention is that I rather have digital identity associated with ‘enabling online services’ than with security risks.

There are also three developments that did not happen, but could have. I stay close to home for these.

What first comes to mind is that there is still no clarity on introduction of a Dutch electronic identity card (eNIK), although the responsible Minister of Internal Affairs promised parliament a proposal before the end of the year (still two weeks to go!).

What also did not happen in the Netherlands is the Dutch national electronic health record, instead the Dutch senate seems to prefer faxes, or maybe smoke signals. Not that the proposed law they stopped did not have its flaws from a privacy and authorization perspective. But the proposal could have been improved upon, and current practise is much worse in my opinion. Hopefully the Dutch national health record will continue in another form, there are signs it might.

The third development that did not happen is a breakthrough in a re-usable consumer identity solution on Dutch national or, even better, European or worldwide scale: we still have the same long list of username/passwords for every website that offers personalization.

Maarten Wegdam (principal consultant Novay – IDentity.Next member panel)

DigiD is the Dutch national digital identity solution for citizin-2-government. Although not the most secure solution around, it is one of the more succesful ones with respect to actual usage. DigiD is actually not only for e-government services, but also for online services in healthcare and pensions (since they can use the Dutch social security number). For such a ‘lucky’ company, which is going to use DigiD next to an own identity solution for consumers, we did a series of interviews to determine the do’s and don’t's of implementing DigiD. My colleague Wouter Bokhove was in the lead for this, and published a blog post summarizing some of the main finding. It is in Dutch, and be be found here or for your convenience copied below. Amongst others we advised on using the new SAMLv2 interfaces or the ‘old’ A-Select interfaces, and on how to use te Levels of Assurances concept.

DigiD: een goede voorbereiding is het halve werk!

Stel: je hebt als organisatie in de pensioen- of zorgsector een Mijn-omgeving waar je online zaken kunt regelen. Een deel van je gebruikers heeft een account tot deze Mijn-omgeving op basis van een gebruikersnaam en wachtwoord (met alle nadelen en beperkingen van dien), maar je bent op zoek naar een goedkoper, veiliger en/of gebruikersvriendelijker alternatief.

Is DigiD dan het antwoord? Wanneer is het nuttig om DigiD te implemeteren? Waarom zou ik nog een eigen gebruikersnaam/wachtwoord-combinatie aanbieden? Wat is belangrijk bij het implementeren van een DigiD koppeling? DigiD heeft verschillende koppelvlakken, welke moet ik kiezen? Wat gaat er met DigiD 4.0 veranderen, welke ontwikkelingen zijn nog meer relevant en welke impact zullen deze veranderingen en ontwikkelingen kunnen hebben op de keuzes die ik nu maak? Hoe zorg ik voor een toekomstvaste identiteitsarchitectuur die hiermee om kan gaan?

Novay heeft voor een grote Nederlandse financiële dienstverlener een aantal adviezen geformuleerd die op deze vragen een antwoord geven. Hiervoor is niet alleen gekeken naar de huidige situatie van deze klant en de publiek beschikbare informatie over DigiD, maar is ook uitgebreid gesproken met ervaringsdeskundigen uit de zorgsector, system integrators en met Logius. In deze blogpost schrijf ik kort een paar van de aanbevelingen die interessant zijn voor een breder publiek:

• Er kunnen verschillende redenen zijn om gebruik te willen maken van DigiD:
  • het wordt mogelijk om diensten aan te bieden waarvoor een hoger zekerheidsniveau nodig is (t.o.v. een eigen gebruikersnaam en wachtwoord);
  • het gebruik van DigiD verlaagt de drempel voor klanten om gebruik te maken van de Mijn-omgeving; hierdoor zullen meer klanten gebruiken van dit (typisch goedkopere) kanaal;
  • er zal minder gebruik gemaakt worden van het eigen authenticatiemiddel, waardoor nieuwe identiteiten uitgegeven hoeven te worden en er minder belasting zal zijn voor de helpdesk (bv. voor het resetten van vergeten wachtwoorden);
  • het is eventueel niet langer noodzakelijk om een eigen authenticatiemiddel aan te bieden (dit is o.a. afhankelijk van het feit of alle klanten wel een DigiD kunnen aanvragen).
• Er moet gekozen worden tussen koppelen met het ‘oude’ A-Select koppelvlak of met het ‘nieuwe’ SAML v2 koppelvlak. Het gebruik van SAML v2 is aan te bevelen omdat dit meer toekomstvast is (SAML v2 is een OASIS standaard). SAML v2 wordt vanaf DigiD 4.0 ondersteund (SAML v2 is nu ook al beschikbaar bij DigiD Eenmalig Inloggen). De release hiervan is echter uitgesteld van 1 oktober 2011 tot na 1 april 2012.
• Ondanks het feit dat het gebruik van DigiD en de begeleiding bij de implementatie van DigiD door Logius momenteel nog gratis is, is het verstandig om rekening te houden met het feit dat dit op termijn anders zal worden. Het is op dit moment niet te voorspellen hoe duur dit zal zijn, en of dit zal verschillen per zekerheidsniveau.
• Doe een risico-inventarisatie van de huidige en geplande diensten voor de Mijn-omgeving en bepaal welke zekerheidsniveaus hiervoor nodig zijn. In verband met de toekomstvastheid is het verstandig hierbij gebruik te maken van de zekerheidsniveaus zoals deze gedefinieerd zijn in het Europese STORK project (D2.3, geschreven door Novay in opdracht van het ministerie van BZK).
• Logius is zeer streng met betrekking tot de communicatie-eisen en het blijkt dat Logius freuent (pre-)productie-omgevingen afkeurt als deze niet voldoen aan deze eisen. Dit betekent dat een aansluitende partij zich geen enkele vrijheid kan veroorloven ten aanzien van de voorgeschreven teksten en het gebruik van het DigiD logo.

Bovenstaande adviezen zijn opgesteld in de periode voor ‘Lektober‘. Naar aanleiding van de DigiD-gerelateerde recente veiligheidsproblemen bij o.a. gemeentes die hieruit naar voren zijn gekomen, kan er nog een advies worden toegevoegd:

• Het is de bedoeling van minister Donner dat binnenkort alle organisaties die op DigiD zijn aangesloten een jaarlijks ICT-beveiligingsassessment moeten uitvoeren. Anticipeer hier alvast op door ervoor te zorgen dat de beveiliging voldoet aan de “Checklist beveiliging webapplicaties” zoals opgesteld door GOVCERT.

The Dutch Banking Association (NVB) in the Netherlands provides numbers of internet banking fraud, I think twice a year (see also my last post on this). Yesterday the announced new numbers, together with a new awareness campaign for the public. The numbers they announced yesterday about the first half of 2011: amount of incidents is 2400 and the damage is €11.2M.

I extrapolated these numbers for the whole of 2011 by simply multiplying them by two (which is probably optimistic) and compared them to the 2009 and 2010 numbers.  The bottom-line is is that internet banking fraud still increases a lot with more than twice the damage in 2011 than in 2010. The relative increase is however less dramatic than from 2009 to 2010, when it increased with a factor of five. The amount of incidents increased with a factor of about 3.5, and thus there is also good news: the amount of damage per incident decreased (to an average of ~€4.500 per incident). I guess this is because the Dutch banks improved their detection of internet fraud, and are more effective in quickly stopping money mules.

Non-technical countermeasures such as continuing awareness campaigns and the Electronic Crimes Taskforce (which hunts cybercrimes) are needed, but really preventing internet banking fraud also depends on better authentication means and other more technical measures. What I found somewhat remarkable is that the NVB press release and also e.g. the article in the Volkskrant (a Dutch national newspaper) talked about ‘old fashioned’ phishing emails a being a big part of the problem, while I’m personally more worried about malware on the consumers devices (laptop, smartphone, tablet etc). An anecdote is a colleague of mine that was very recently the subject of an attack involving advanced malware that infected his PC irrespective of up-to-date patches and virus scanners. The malware then waited till my colleague made a transfer, and added a transfer to empty his acoount to a money mule in Portugal. Such malware is undetectable for ‘normal people’, including the browser indicating a valid website certificate. He however noticed this right after the transfer because the browser was acting strangely, and was able to stop the transfer by calling his bank. I’, however sure that for someone less ‘nerdy’ the browser’s strange behavior would have been too suble to notice.

The below graphs show the fraud numbers for 2009, 2010 and (extrapolated for) 2011.

Yesterday was the second edition of the IDentity.Next (un)conference, and also the second time Novay putted an innovation in the area of digital identity in the spotlight by awarding it with the Novay Digital Identity Award. Congratulations to Edentiti, and its founder Kevin Cox!!!

Edentiti is an Australian started-up that does online identity verification. What I personally like most about Edentiti is that they have a very pragmatic approach to identity verification which exploits a range of existing online databases and previously established identities. They provide increasing levels of trustworthiness of the identity verification, with increase in trust means more hassle for the user (and probably more cost for the service provider) but for many online services a lower level of trustworthiness is already good enough. And it all cases, the service provider doesn’t have to do the identity verification himself, and the user is in control how his identity is verified. A ‘trick’ they use is that users can verify their identity by proving that they have existing relationships with organizations. For more details, check out this webpage from the greenID verification service that they provide together with a partner.

The photo with this  blog post is the award itself. The artist is Alexandra Veneman (from Ommen in NL, same of the 2010 award). The wave pattern symbolizes that identity if off all times and all areas. The I and the D of course stand for identity. She used the color purple from the Novay logo.

I copied the official announcement of the award below.

Edentiti wins Novay Digital Identity Award!

The Hague, November 9, 2011 – At the Identity.Next’11 conference today, the Australian Edentiti has won the Novay Digital Identity Award for the best new concept or product in the field of digital identity. Edentiti provides online identity verification by checking information
from various online data sources, and does so under the control of the end user.

Identity verification is the process of verifying if someone is who he or
she claims to be. It can be used to prevent identity theft, for age
verification where the purchase of alcohol or gambling is concerned and for several other reasons. What the jury found particularly appealing about Edentiti is the efficient
and innovative manner in which they rely on existing online identities that a
user has, and use these as a basis for identity proofing for new online
services. In the system Edentiti offers,
individuals can verify their identity by proving they have existing
relationships with organizations. Proof is obtained by the individual using
the Privacy Principle that says that individuals can ask any organization
that might hold personal information on them “Do you have any information
about me? Yes or No?”. The number and quality of the “Yes” relationships
determine the trust in the verification. Edentiti is also provided through Deloitte Digital under the brand name greenID, addressing Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) legislation.

Hermen van der Lugt, director of research institute Novay and chairman of the jury: “It is easier for end-users and less expensive for online businesses than
traditional face-to-face identity verification approaches. Additionally, Edentiti lets the individual control the whole process of identity
verification, which is a big plus, considering the privacy
sensitivity.”
Edentiti has an approach and business model that allows for incremental growth: in number of users, in number of
customers and in the level of trustworthiness of the identity verification. The jury believes that their
approach has the potential to be expanded to other countries through
partnerships. Organizations which use the system, include Australia Post, the Australian Superannuation Fund
and the National Australia Bank. More on Edentiti’s approach can be found at www.edentiti.com.

Apart from Edentiti, three more organizations were nominated for the award. Qiy (www.qiy.com) is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (www.wayf.dk), a Danish identity federation, connects over 90 service providers with over 130 identity providers in education, libraries, health care and government (including the NewLog-in national authentication system). WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR (www.tiqr.org) is an open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

The award is part of the IDentity.Next’11 conference in The Hague, organized by the IDentity.Next foundation that focuses on developments in digital identity. With the award, IDentity.Next and research based ICT consultancy Novay want to recognize and support new developments and innovations that are shaping the future of digital identity. Co-organizer of the conference is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the jury is available at www.identitynext.eu.

Below the ‘official’ press release, copied from the Novay website

On November 9, one of  four nominees will be granted the Novay Digital Identity Award at the IDentity.Next’11. The nominees for the best new concept or product in the field of digital identity are: the Australian edentiti, the Danish WAYF and the Dutch Qiy and tiQR.

Edentiti (http://www.edentiti.com) is an Australian identity proofing system that provides online identity verification by checking information from various online data sources, and does so under control of the user. Qiy (http://www.qiy.com) is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (http://www.wayf.dk), a Danish identity federation, connects over 90 service providers with over 130 identity providers in education. WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR (http://tiqr.org) is an
open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

Most people have one or more digital identities. As we use more online services, this number increases and the question of who knows what about whom becomes increasingly complex. And then there’s the digital keychain, which yields more annoyance than convenience.  With this award – IDentity.Next and ICT research institute Novay recognize and support new developments will shape the future of digital identities. The jury is chaired by Herman van der Lugt, Director of Novay. The jury also includes
Ziggur, last year’s winner. Ziggur provides a service that gives users control over what happens to their online identity after their death.

The award is part of the IDentity.Next conference in The Hague, organized by the Identity.Next foundation that focuses on
developments in digital identity. Co-organizer is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the program is available at www.identitynext.eu .

We recently did an assessment of a so-called SIM augmented authentication token, or VASCO’s new DigiPass Nano product to be more specific. We did this for SURFnet, for which we previously also did an assessment of Mobile PKI. We liked Mobile PKI, but it has a big disadvantage: you depend on your mobile network operator to be able to use it (and in the Netherlands they are not deploying this any time soon). This disadvantage is the main motivation to look at SIM augmented tokens. These are, as the term suggests, added to in stead on being ‘inside’ the SIM card.

So what is a SIM augmented authentication token? Physically it is a sticker with an embedded chip that you stick on your SIM card and sits between the SIM card and the mobile phone. The chip stores a secret used for authentication, which is more secure than storing the secret in a ‘normal’ mobile app. This secret is used by an authentication application that is also runs from this chip. This application, from the perspective of the mobile phone, appears to be a normal SIM application, and can work on basically any phone (smart of dumb). The only SIM augmented authentication token that I’m aware of is the above mentioned  DigiPass Nano from VASCO (let me know if you know of others?). The DigiPass Nano implements an event-based one-time-password functionality, i.e., it generated a new code every time the user asks for it.

We did an assessment of the usability, security and business model aspects. Below I copied the conclusions, but the bottom-line is that we believe from a security perspective this is a good alternative to other one-time-password solutions, and it more secure than solutions implemented as a mobile app. The main benefit is that it works on basically any phone (also non-smartphones), and you you can deploy it without needing help (and investments) from your mobile operator. The main disadvantage is the user experience. We did some limited testing with putting the sticker on, which was ok, but the user experience of getting a one-time-password can be troublesome. It requires the user to find SIM applications on their mobile phone, which are often hidden somewhere deep in the menu’s. My estimate is that this usability limitation will need to be addressed for this technology to get acceptance beyond specific enterprise use-cases. Or to put it differently, I’d do very carefull usability optimizations/testing before deploying this to millions of consumers.

This assessment was joint work with my colleague Martijn Oostdijk, see his blog for more details on especially the security aspect. The full report of our assessment is available via the SURFnet website. If you’re looking for a wider perspective on the combination of mobile and digital identity, see this previous blog post on our mobile-centric identity vision.

6 Conclusions

The Digipass Nano uses a form factor that is relatively unique in the authentication token market. It is a SIM augmented token, a thin patch/sticker including an embedded chip that sits between the SIM and the user’s mobile phone. The key advantages of this form factor are:

• secure storage of credentials under a “security domain” that is distinct from the other stake holders (e.g. mobile operators, handset vendors),
• while at the same time the ability to use the user-interface of the user’s existing GSM handset,
• and, potentially, the use of the mobile phone’s GSM or 3G network.

As most users will always carry their mobile phone with them, this means that the token will be present during transactions in many different contexts.

The technology underlying SIM augmentation is based on standards that have existed for a long time, are present in billions of GSM handsets around the world, and have proven to be relatively secure given the threat landscape thus far. The DP Nano does not use all features offered by this technology (it only uses the user interface features, not, e.g., the network features present in GSM 11.14). However, a number of variations of the DP Nano exist (see [10], apparently targeting different markets) which do utilise the networking capabilities of the GSM SIM, and which appear to more strongly bind the token to either handset (“IMEI lock”) or SIM (“IMSI lock”).

On paper, from a technological and security perspective, SIM augmented tokens compare well to other mobile and possession based tokens such as SMS OTP, OTP tokens, mobile soft tokens, and smart cards. As to the security, threats from malware on the handset are minimal as long as the SIM toolkit API interface is properly implemented on the handset.

The user experience may cause some problems for certain groups of users, depending on the issuance and installation process (e.g. whether users are required to install the token themselves). The DP Nano requires the user to navigate through unfamiliar text based menus in order to start up the application when asked by the SP to provide an OTP. This is the most prominent drawback when compared to e.g. the Mobile PKI experience (as described in [8]) where the authentication application on the handset it triggered over the air.

From a business model perspective SIM augmented tokens are interesting as they separate the role of SIM based authentication provider from the role of MNO. Obviously, being the first of its kind and relying on a server side licensing model and proprietary implementation, whether a choice for the DP Nano provides a positive business case when compared to MNO provided SIM based authentication remains to be seen.

Interesting features to add could be:

• Lock the token to IMSI or IMEI (possible, according to [10])
• Use the network to initiate authentication transactions (drawback: implies sending service SMS messages to the token, which may mean cooperation of a MNO or at least per-transaction costs)
• Use the network as an OOB channel during an authentication session (e.g. to display transaction details, similar drawback as above)
• Use the network to “blacklist” a token when a token is reported stolen
• Combine SIM augmented solution with a handset resident application to provide a better user experience (may be dependent on operating system and handset to provide installed apps with an API for communication with SIM)

The latter option is particularly attractive as a way to enhance the security of SURFnet’s tiqr solution (see [11]) and other mobile app solutions.

Since a one-size-fits-all solution to authentication does not exist, in the end SIM augmented solutions will likely find a market alongside authentication tokens with different form factors.