Looking back at 2011: what was new, and what could have been (IDentity.Next newsletter)

2011/12/21

I wrote an article for the IDentity.Next newsletter that came out today (21 December 2011). It is here, and for convenience, also copied below.

Looking back at 2011: what was new, and what could have been

18-12-2011

With 2011 almost over, the question IDentity.News had for me was to look back to 2011 what were new developments in the area of digital identity. Since I’m in the business of innovation, looking forward is more in my DNA than looking back. And so a little out of my comfort zone, below three major new developments of 2011, and, also, three developments that did not happen in 2011.

1. Trust frameworks- in the US (e.g. NSTIC, OIX), in NL (e.g. eHerkenning) and elsewhere trust frameworks as a way to ensure a fair and trusted ecosystem to provide identity-related services are catching on. Experience with large scale deployment is still limited though. I guess we just have to do and learn. And the alternative for trust frameworks (i.e. government issued identities) also stays popular (e.g., the new German ID card, the Dutch DigiD/eNIK).

2. Cloud and identity-as-a-service– it seems impossible for a self-respecting event in the area of identity not to spend significant time on the combination of cloud and identity. And something similar seems to apply to identity experts J. There is also progress here; especially commercial offerings of identity-as-a-service have been progressing. On making the cloud identity-enabled, things have developed slower than I would have expected a year ago. Although I guess everyone (?) agrees that companies want to have centralized authentication, authorization and provisioning (efficiency, control etc), adoption of standards is still too limited, which is at least part of the reason this is going slow.

3. DigiNotar (and other security fiasco’s in the identity area) – while a disaster for DigiNotar and potentially a huge disaster for an unknown number of Iranians, there is actually a bright side. It resulted in more attention at ‘higher levels in organizations’ for information security and identity. And I’m sure many security consultants had sufficient work in second half of 2011. The downside of this attention is that I rather have digital identity associated with ‘enabling online services’ than with security risks.

There are also three developments that did not happen, but could have. I stay close to home for these.

What first comes to mind is that there is still no clarity on introduction of a Dutch electronic identity card (eNIK), although the responsible Minister of Internal Affairs promised parliament a proposal before the end of the year (still two weeks to go!).

What also did not happen in the Netherlands is the Dutch national electronic health record, instead the Dutch senate seems to prefer faxes, or maybe smoke signals. Not that the proposed law they stopped did not have its flaws from a privacy and authorization perspective. But the proposal could have been improved upon, and current practise is much worse in my opinion. Hopefully the Dutch national health record will continue in another form, there are signs it might.

The third development that did not happen is a breakthrough in a re-usable consumer identity solution on Dutch national or, even better, European or worldwide scale: we still have the same long list of username/passwords for every website that offers personalization.

Maarten Wegdam (principal consultant Novay – IDentity.Next member panel)

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Do’s and don’t's for DigiD

2011/12/20

Nieuwe logo DigiD

DigiD is the Dutch national digital identity solution for citizin-2-government. Although not the most secure solution around, it is one of the more succesful ones with respect to actual usage. DigiD is actually not only for e-government services, but also for online services in healthcare and pensions (since they can use the Dutch social security number). For such a ‘lucky’ company, which is going to use DigiD next to an own identity solution for consumers, we did a series of interviews to determine the do’s and don’t's of implementing DigiD. My colleague Wouter Bokhove was in the lead for this, and published a blog post summarizing some of the main finding. It is in Dutch, and be be found here or for your convenience copied below. Amongst others we advised on using the new SAMLv2 interfaces or the ‘old’ A-Select interfaces, and on how to use te Levels of Assurances concept.

 

DigiD: een goede voorbereiding is het halve werk!

Stel: je hebt als organisatie in de pensioen- of zorgsector een Mijn-omgeving waar je online zaken kunt regelen. Een deel van je gebruikers heeft een account tot deze Mijn-omgeving op basis van een gebruikersnaam en wachtwoord (met alle nadelen en beperkingen van dien), maar je bent op zoek naar een goedkoper, veiliger en/of gebruikersvriendelijker alternatief.

Is DigiD dan het antwoord? Wanneer is het nuttig om DigiD te implemeteren? Waarom zou ik nog een eigen gebruikersnaam/wachtwoord-combinatie aanbieden? Wat is belangrijk bij het implementeren van een DigiD koppeling? DigiD heeft verschillende koppelvlakken, welke moet ik kiezen? Wat gaat er met DigiD 4.0 veranderen, welke ontwikkelingen zijn nog meer relevant en welke impact zullen deze veranderingen en ontwikkelingen kunnen hebben op de keuzes die ik nu maak? Hoe zorg ik voor een toekomstvaste identiteitsarchitectuur die hiermee om kan gaan?

Novay heeft voor een grote Nederlandse financiële dienstverlener een aantal adviezen geformuleerd die op deze vragen een antwoord geven. Hiervoor is niet alleen gekeken naar de huidige situatie van deze klant en de publiek beschikbare informatie over DigiD, maar is ook uitgebreid gesproken met ervaringsdeskundigen uit de zorgsector, system integrators en met Logius. In deze blogpost schrijf ik kort een paar van de aanbevelingen die interessant zijn voor een breder publiek:

  • Er kunnen verschillende redenen zijn om gebruik te willen maken van DigiD:
    • het wordt mogelijk om diensten aan te bieden waarvoor een hoger zekerheidsniveau nodig is (t.o.v. een eigen gebruikersnaam en wachtwoord);
    • het gebruik van DigiD verlaagt de drempel voor klanten om gebruik te maken van de Mijn-omgeving; hierdoor zullen meer klanten gebruiken van dit (typisch goedkopere) kanaal;
    • er zal minder gebruik gemaakt worden van het eigen authenticatiemiddel, waardoor nieuwe identiteiten uitgegeven hoeven te worden en er minder belasting zal zijn voor de helpdesk (bv. voor het resetten van vergeten wachtwoorden);
    • het is eventueel niet langer noodzakelijk om een eigen authenticatiemiddel aan te bieden (dit is o.a. afhankelijk van het feit of alle klanten wel een DigiD kunnen aanvragen).
  • Er moet gekozen worden tussen koppelen met het ‘oude’ A-Select koppelvlak of met het ‘nieuwe’ SAML v2 koppelvlak. Het gebruik van SAML v2 is aan te bevelen omdat dit meer toekomstvast is (SAML v2 is een OASIS standaard). SAML v2 wordt vanaf DigiD 4.0 ondersteund (SAML v2 is nu ook al beschikbaar bij DigiD Eenmalig Inloggen). De release hiervan is echter uitgesteld van 1 oktober 2011 tot na 1 april 2012.
  • Ondanks het feit dat het gebruik van DigiD en de begeleiding bij de implementatie van DigiD door Logius momenteel nog gratis is, is het verstandig om rekening te houden met het feit dat dit op termijn anders zal worden. Het is op dit moment niet te voorspellen hoe duur dit zal zijn, en of dit zal verschillen per zekerheidsniveau.
  • Doe een risico-inventarisatie van de huidige en geplande diensten voor de Mijn-omgeving en bepaal welke zekerheidsniveaus hiervoor nodig zijn. In verband met de toekomstvastheid is het verstandig hierbij gebruik te maken van de zekerheidsniveaus zoals deze gedefinieerd zijn in het Europese STORK project (D2.3, geschreven door Novay in opdracht van het ministerie van BZK).
  • Logius is zeer streng met betrekking tot de communicatie-eisen en het blijkt dat Logius freuent (pre-)productie-omgevingen afkeurt als deze niet voldoen aan deze eisen. Dit betekent dat een aansluitende partij zich geen enkele vrijheid kan veroorloven ten aanzien van de voorgeschreven teksten en het gebruik van het DigiD logo.

Bovenstaande adviezen zijn opgesteld in de periode voor ‘Lektober‘. Naar aanleiding van de DigiD-gerelateerde recente veiligheidsproblemen bij o.a. gemeentes die hieruit naar voren zijn gekomen, kan er nog een advies worden toegevoegd:

 

1 Comment | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Edentiti wins Novay Digital Identity Award!

2011/11/10

Yesterday was the second edition of the IDentity.Next (un)conference, and also the second time Novay putted an innovation in the area of digital identity in the spotlight by awarding it with the Novay Digital Identity Award. Congratulations to Edentiti, and its founder Kevin Cox!!!

Edentiti is an Australian started-up that does online identity verification. What I personally like most about Edentiti is that they have a very pragmatic approach to identity verification which exploits a range of existing online databases and previously established identities. They provide increasing levels of trustworthiness of the identity verification, with increase in trust means more hassle for the user (and probably more cost for the service provider) but for many online services a lower level of trustworthiness is already good enough. And it all cases, the service provider doesn’t have to do the identity verification himself, and the user is in control how his identity is verified. A ‘trick’ they use is that users can verify their identity by proving that they have existing relationships with organizations. For more details, check out this webpage from the greenID verification service that they provide together with a partner.

The photo with this  blog post is the award itself. The artist is Alexandra Veneman (from Ommen in NL, same of the 2010 award). The wave pattern symbolizes that identity if off all times and all areas. The I and the D of course stand for identity. She used the color purple from the Novay logo.

I copied the official announcement of the award below.

Edentiti wins Novay Digital Identity Award!

The Hague, November 9, 2011 – At the Identity.Next’11 conference today, the Australian Edentiti has won the Novay Digital Identity Award for the best new concept or product in the field of digital identity. Edentiti provides online identity verification by checking information
from various online data sources, and does so under the control of the end user.

Identity verification is the process of verifying if someone is who he or
she claims to be. It can be used to prevent identity theft, for age
verification where the purchase of alcohol or gambling is concerned and for several other reasons. What the jury found particularly appealing about Edentiti is the efficient
and innovative manner in which they rely on existing online identities that a
user has, and use these as a basis for identity proofing for new online
services. In the system Edentiti offers,
individuals can verify their identity by proving they have existing
relationships with organizations. Proof is obtained by the individual using
the Privacy Principle that says that individuals can ask any organization
that might hold personal information on them “Do you have any information
about me? Yes or No?”. The number and quality of the “Yes” relationships
determine the trust in the verification. Edentiti is also provided through Deloitte Digital under the brand name greenID, addressing Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) legislation.

Hermen van der Lugt, director of research institute Novay and chairman of the jury: “It is easier for end-users and less expensive for online businesses than
traditional face-to-face identity verification approaches. Additionally, Edentiti lets the individual control the whole process of identity
verification, which is a big plus, considering the privacy
sensitivity.”
Edentiti has an approach and business model that allows for incremental growth: in number of users, in number of
customers and in the level of trustworthiness of the identity verification. The jury believes that their
approach has the potential to be expanded to other countries through
partnerships. Organizations which use the system, include Australia Post, the Australian Superannuation Fund
and the National Australia Bank. More on Edentiti’s approach can be found at www.edentiti.com.

Apart from Edentiti, three more organizations were nominated for the award. Qiy (www.qiy.com) is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (www.wayf.dk), a Danish identity federation, connects over 90 service providers with over 130 identity providers in education, libraries, health care and government (including the NewLog-in national authentication system). WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR (www.tiqr.org) is an open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

The award is part of the IDentity.Next’11 conference in The Hague, organized by the IDentity.Next foundation that focuses on developments in digital identity. With the award, IDentity.Next and research based ICT consultancy Novay want to recognize and support new developments and innovations that are shaping the future of digital identity. Co-organizer of the conference is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the jury is available at www.identitynext.eu.

5 Comments | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Nominees Novay Digital Identity Award announced

2011/10/26

The submission were quite diverse, and from more different countries than last year. Since it was difficult to narrow it down to intended maximum of three nominees, the jury decided to select four :) My congratulations to edentiti, Qiy, WAYF and tiQR!! The jury is not done though, the winner still has to be selected among the nominees.

Below the ‘official’ press release, copied from the Novay website

On November 9, one of  four nominees will be granted the Novay Digital Identity Award at the IDentity.Next’11. The nominees for the best new concept or product in the field of digital identity are: the Australian edentiti, the Danish WAYF and the Dutch Qiy and tiQR.

Edentiti (http://www.edentiti.com) is an Australian identity proofing system that provides online identity verification by checking information from various online data sources, and does so under control of the user. Qiy (http://www.qiy.com) is a Dutch personal data store initiative that provides a secure environment in which a user controls which companies can access his or her information. WAYF (http://www.wayf.dk), a Danish identity federation, connects over 90 service providers with over 130 identity providers in education. WAYF pioneered and contributed to open source with, amongst others, a user consent module, real-time calculation of economic benefits of the federation and a federation administration interface. tiQR (http://tiqr.org) is an
open-source and standards-based authentication solution from SURFnet. It uses a mobile phone to scan a QR code that is presented by a webpage, thereby implementing two-factor authentication that is very user friendly.

Most people have one or more digital identities. As we use more online services, this number increases and the question of who knows what about whom becomes increasingly complex. And then there’s the digital keychain, which yields more annoyance than convenience.  With this award – IDentity.Next and ICT research institute Novay recognize and support new developments will shape the future of digital identities. The jury is chaired by Herman van der Lugt, Director of Novay. The jury also includes
Ziggur, last year’s winner. Ziggur provides a service that gives users control over what happens to their online identity after their death.

The award is part of the IDentity.Next conference in The Hague, organized by the Identity.Next foundation that focuses on
developments in digital identity. Co-organizer is EEMA, Europe’s leading independent, non-profit e-Identity & Security Association. The conference brings together experts, professionals and industrial parties to discuss the latest developments in the field of digital identity. More information about the award and the program is available at www.identitynext.eu .

 

Leave a Comment » | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Digital identity in the Netherlands: DigiD for consumer-2-business?

2011/10/05

On Tuesday 4 October we organised a Novay networking event called Tuesday Update, with digital identities as the subject. The main subject of discussion was the need for re-usable identities, and especially who should be the identity provider: government or private parties. This is a hot subject in the Netherlands, also because of the recent security incidents (DigiNotar). Hein Aanstoot, director at SIVI, argued very well that the insurance sector increasingly needs a consumer-2-business identity solution, and would they be allowed to use the national citizin-2-government solution DigiD then this would help insurance companies a lot. This is however not allowed in the Netherlands, and Kees Keuzenkamp from the ministry of Internal Affairs explained the policy developments in this area (NL and EU), including the planned Dutch eID smartcard (called eNIK, elektronische Nederlandse Identiteits Kaart). Bottom-line (in my wording) is that the decision on eNIK will be taken end of this year (after which it goes to parlement) and that it is very unlikely that DigiD/eNIK can be used as a generic consumer-2-business identity solution. Hein Aanstoot also gave some insight into a new initiative with several large insurance companies to create a breakthrough in a re-usable identity for the insurance sector, I think it is good for these insurance companies that they do not make themselves (too) dependent on the government or others (banks). I also presented, and gave my perspectives on consumer-2-business identities, why this is so difficult (privacy, trust etc), the outcomes of our cidSafe project, my views on DigiD (and eHerkenning) and what the role of government should be (especially: solve it or be very clear you’re not going to do so). I also presented three innovations we are working on that we believe will increasingly become important: user control over their data, mobile-centric identity and context-enhanced authentication/authorization. My presentation is on slideshare (dutch!).

 

Leave a Comment » | Uncategorized | Tagged: , , , , | Permalink
Posted by Maarten Wegdam

Submissions for Novay Digital Identity Award 2011?

2011/08/09

If you are working on an innovation in the area of Digital Identity: my employer (Novay) in collaboration with the IDentity.Next (un)conference will grant the Novay Digital Identity Award for the second year now. Last year’s winner was Ziggur, a company that innovates our digital death… I’m organizing this award (but not in the jury, influencing me will not help you get the award :) ).

The deadline is October 11. For more information, see http://www.identitynext.eu/award.php or below.

Submissions wanted for Novay Digital Identity Award 2011

On November 9, the Novay Digital Identity Award will be granted to the best new concept or product concerning digital identity. The award is part of the conference Identity.Next’11 in The Hague. With the award, Identity.Next and ICT research institute Novay want to recognize and support new developments that are shaping the future of digital identity. Submissions are welcome until October 11.

The conference in November 9, 2011 is organized by the IDentity.Next association, a non-profit organization on Digital Identity, in cooperation with EEMA, Europe’s leading independent, non-profit e-Identity & Security association. Identity.Next will bring a program with top experts, professionals and industry stakeholders to discuss the world around Digital Identity and best practice. The (un)-conference will consist of debates, workshops, and presentations in four tracks: ‘Social consumer’, ‘Mobile-me’, ‘Private Eye’ and ‘eCitizen’. The award-winning concept the organization is looking for, should relate to one of these themes.

Innovative concepts, projects and products on digital identity can be submitted for the award until October 11, 2011. Submissions will be judged by a jury, chaired by Hermen van der Lugt, CEO of Novay. Criteria include innovativeness (technological as well as business model); success & impact; how the privacy aspect is dealt with and added value for users and for stakeholders.

For more information, including jury members, factsheet and submission form, see http://www.identitynext.eu/award.php.

Leave a Comment » | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Position paper on digital identity from Thuiswinkel.org (Dutch online retail association)

2011/06/23

 

Last week the Dutch online retail association Thuiswinkel.org published a press release and position paper (in Dutch) on online identity services. The press release contains five recommendations aimed at ‘parties in the online identity services area’. I think it is good that this is thuiswinkel.org apparantly considers this an important subject, and I agree with most of what they state in the recommendations. I do however have some comments on the specific recommendations. I translated each recommendation below, and give my comments to each of them.

  1. Re-use of existing consumer identities, such as login data, bank cards and phones
    My comment: yes! this is/was also a key element in our vision for a trustworthy consumer identity in the cidSafe project, especially the “existing” in this recommendation is important because of the business case and user convenience implications.
  2. Choice for online retailers between several providers that each provide universal access to identities, also internationally
    My comment: this seemed a bit naive, that there will be several providers that can provide universal access. But checking the explanation in the position paper itself made is clear that they refer to intermediate brokers between the online retailers and the identity providers. These may make life easier, see a previous post on 3 vs 3.5 vs 4 party models.
  3. The user determines which parts of his identity he reveals, the online retailers determine the desired trust level
    My comment: good! Where in many case revealing “nothing” should be an option …
  4. Good communication about online identities for users
    My comment: absolutely, the question is more the ‘how’, and where the trade-offs are between keeping the solutions simple enough so we do not need to explain too much, and having an open and flexible solution.
  5. Government should start with a pilot with verified attributes that online retailers can use, including age
    My comment: no :( see below

In the press release, and following press articles such as this one, focus on the online age verification recommendation. This is a hot subject in the Netherlands, also because of legislation on what you cannot sell to minors, e.g., porn, violent video games or gambling to 16 years or younger. In the offline world this can be (but is not always …) checked by cassier, in the online world there is currently no way to do so. I however disagree with the fifth recommendation because of two reasons. The first is that it is more general on the verified attributes than age, and with minimal data disclosure in mind I do not see why this needs to be so general (with post-payment as a possible exception, but more creative things can be done there). Secondly, it assumes a government solution. Why exclude a private market solution? Actually, Novay (in the person of my colleague Bob Hulsebosch) did a impact & feasibility study on using iDEAL for online age verification for online retailers. Our client was a public-private working group from the Ministerie of Security and Justice and NICAM. iDEAL is the Dutch online payment service provider for retailers and is used by 81% of Dutch web shoppers. Online retailers would in this case rely on the banks behind iDEAL for age verification. See also this recent article in emerce with an interview with workinggroup lead Willem van Teeseling from Buro 240a. Of course, also a private market solution may benefit from ‘encouragement’ from the government, but that’s not what the fifth recommendation states (contrary to section 6.5 of the actual position paper which is more in line with my position on this).

Only somewhat related to the above, in the position paper a few sentences discuss combining identity with payment, which would streamline the user experience. We all know: less clicks, more convergence, thus this is IMHO a good point: payments providers have an edge as identity providers especially when it comes to online retail. And the point they also make is that the mobile channel needs a user friendlier identity solution (with less user input) , is also very true I think.

1 Comment | Uncategorized | Tagged: , , | Permalink
Posted by Maarten Wegdam

Government eID versus identity trust frameworks, at EIC

2011/05/13

I spent most of this week in Munich, at Kuppinger Cole’s European Identity Conference. This had again a full program with presentations and panels on digital identity, GRC and, of course, cloud. Some personal high-lights were presentations and panels on:

  • externalization of authorization (XACML 3.0 won an identity award)
  • privacy (including personal clouds/datastores, Qiy won an identity award)
  • consumer identity/trust frameworks/OpenID (including an interesting presentation by Andrew Nash from Paypal). 
  • and mostly the off-sessions discussions with leading people in the digital identity area

I also had a presentation myself on consumer identity, and participated in panel. I presented my ideas on government issued consumer/citizin identities versus doing this through the market via an identity trust framework.

Leave a Comment » | Uncategorized | Tagged: , , , | Permalink
Posted by Maarten Wegdam

Most popular ‘social logins’

2010/12/15

Janrain produced some nice statistics on usage of OpenID and similar technologies to use credentials from, again typically, social networks to log in on other sites. They use ‘social login’ as a term, which sounds probably better than OpenID or identity federation :) There is a statistic specifically for Europe, based on logs from 20 of their European customers. By the way, they don’t have US statistics on their blog post, maybe they just assume the international statistics are the same as US ones, or maybe they simply don’t have that many non-US customers.

Below the part of the blog post on Europe. Among others, it claims that Hyves is growing as an identity provider.

Similar to last quarter, we want to note that Windows Live remains twice as popular a social login provider in Europe as in the US, and its share has increased from 8% to 11% despite the emergence of more localized social networks and email providers.  These providers, such as Hyves (Netherlands), Netlog (Belgium), Web.de and GMX (Germany) comprise over 10% of social logins from our sample of 20 European customers.  Their growth in social login popularity across the Atlantic comes at the expense of Google, Twitter and Yahoo!

European Social Sign-On Preferences

Most popular overall is Google (38%). Top five combined has 92%, but I expect for specific domains (e.g., business-2-business where LinkedIn would be popular) or region (e.g., Netherlands with Hyves) this top five would have other names in it.

Leave a Comment » | Uncategorized | Tagged: , , | Permalink
Posted by Maarten Wegdam

Ziggur wins Novay Digital Identity Award 2010 at Identity.Next

2010/12/12
Novay Digital Identity Award 2010

Novay Digital Identity Award 2010

Identity.Next took place on 8 December. It was IMHO an interesting event, which succeeded in bringing togther the more tradional IAM with the more internet/social identity people. In the morning were presentations in three tracks, and the afternoon was an unconference session lead by Kaliya Hamlin (identitywoman), on subjects like business models for consumer identity (see also this interesting post), authorization in the cloud and privacy.

It was the first edition, and Robert Garskamp (founder of Identity.Next and the driving force behind it) announced that it would not be the last. Thanks Robert for your hard work!

During Identity.Next the Novay Digital Identity award was issued. With this award Novay and Identity.Next was to support an innovation in the area of digital identity. Jury members were Yme Bosma (Hyves), Jaap Kuipers (PIMN & Diginotar), Dennis van Ham (KPMG) and Hermen van der Lugt (Novay). The jury selected three nominees from the submissions: the Dutch Banking association (with their new awareness campaign), the European STORK project (a pilot on federating the nationale eID solutions) and Ziggur  (a new service to control your digital identities/profile after you’re dead). Hermen van der Lugt announced the winner: Ziggur!! Congratulation to them. See for example the pressrelease  (in Dutch …) for more information.

1 Comment | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

« Previous Entries
Follow

Get every new post delivered to your Inbox.