Mobile phone – the remote control of our (digital) identity?

29-03-2011

For most people the mobile (smart) phone is the most personal device they have. You carry it with you almost always, you rarely let others use it and you notice it is gone very quickly. Combine this with the smart phone becoming a mature and popular channel to online services, and you realize the importance of your mobile phone for your digital identity. The term user centric identity was (or still is) quite popular the last few years, going further I’m a strong believer in mobile centric identity: the mobile phone as the central component to control your digital identity.

 I distinguish three ways in which this is happening:

1.     The mobile phone as authentication device– this is already happening and is progressing, especially one-time-passwords over SMS are pretty common. But also apps for Android or iPhone with one-time-password generators, or Mobile PKI which exploits the SIM card for more security.

2.     Authentication for the mobile channel– this is still a struggle, even more than identity on the ‘fixed’ internet. Typing passwords is a huge hassle on mobile phones, and providing these to random and barely trusted mobile apps is not a good idea (for example a third party mobile banking app). Common stronger authentication means like smartcards-with-readers or one-time-password tokens  are not really an option since no one wants to carry additional devices with them. Also identity federation standards like SAML WebSSO and OpenID are not really suitable for mobile phones. We’ve been using oAuth for mobile Apps, which may not be the final solution but is a step into the right direction if ‘medium’ security is good enough.

3.     Control your privacy on your mobile phone – I, and many with me, believe that sharing personal data can make our lives easier, but that the user should be in control of this. A single point of control for this is the way to go, for example determine in a central place who should get access to my new home address, and my location updates. This starts at basic consent functionality when using external identities (e.g., OpenID), but goes all the way to Personal Data Ecosystem, Vendor Relationship Management and User Managed Access ambitions. The mobile could be the trusted device to control this. This is far from reality nowadays.

A major risk for the success and speed in which mobile centric identity will come to be is if we are successful in keeping the mobile phone secure enough for this. This has not been a major issue yet, but for sure requires attention (for example, ENISA report or KuppingerCole Top Trends 2011). Solutions that are part of the operating system and/or exploit trusted hardware like the SIM card may prove most successful.

Related to identity is always payment, and although slower than expected the signs are good that NFC technology (for mobile payments) will get a significant penetration to mobile phones the coming years. Also, at least in the Netherlands, banks and mobile operators have joint forces to make mobile payment possible. Your mobile phone may very well replace both the coins and the bank/smartcards that are now in your wallet. It will be interesting to see how, how fast and who will profit from this!

Maarten Wegdam (principal researcher at Novay – member of IDentity.Next expert panel)

Together with my colleagues Ruud Janssen and Dirk-Jan van Dijk we have been working for SURFnet to help them if, and if so how, they should add a user consent feature to their SURFfederatie identity federation service. See also this previous post on user-centric SAML that describes what we did last year. We continued this year, doing additional user studies, deciding on architectural issues, developing a prototype and doing a pilot. This pilot started two weeks ago J, see also a SURFnet news item (Dutch) on this. The pilot is with three of the bigger Dutch universities, and students/employees that go to the selected service providers will be asked to participate in the pilot. They go through the consent pages, and we bother them with two online surveys to get their feedback. It’s too early to predict the outcome, but the pilot itself seems be going well.

At ISSE 2010 I gave a presentation on the current status of this work, the presentation is on slideshare. In December we’ll finalize a report with the outcome of the pilot, after which it’s up to SURFnet to decide if they’ll add this feature to the SURFfederatie.

Let me first introduce user-centric identity (people who know this can skip to the second paragraph). Not so long ago OpenID en InfoCard where introduced as user centric identity standards, contrary to ‘old fashioned’ identity provider centric standard like SAML. Without going into details, user centricity boils down to providing user controlled privacy, i.e., providing informed consent. And I of course do not mean some legal disclaimer that you have to agree to as a user to be able to use some service. The idea to provide actual information on what information would be shared between an identity provider and a relying party, and asking the user for consent before sharing this. InfoCard inherently provides this, and does this with a piece of software on the client. OpenID provides this though a webpage.

We did a project for SURFnet, the Dutch NREN, to study if and if so how we could make their SURFfederatie (identity federation for higher education and research) provide user controlled privacy. The SURFfederation support different protocols, but is mainly SAML WebSSO based. We analyzed different options, focusing on providing user controlled privacy through InfoCards and doing this through SAML. The latter option is less used, but there are precedents, like uApprove (for Shibboleth) and the Consent module for SimpleSAMLphp. Ignoring lots of details, SAML WebSSO works roughly the same as OpenID (by redirecting the browser from relying party to the identity provider, and back), and user controlled privacy can be implemented in a similar fashion for SAML WebSSO as for OpenID.

The choice between InfoCards and what I’ll call user-centric SAML is not a trivial one, both have advantages and disadvantages. And besides, it was not clear if the users (students and employees of universities etc) even want to be bothered with user controlled privacy. We figured that the best way forward researcher user centricity was to simple ask users what they want. We considered doing this through some large-scale survey, but decided that a small-scale but in-depth user study would provide more useful results. My colleague Ruud Janssen, an experienced user researcher, did this user study. Using mockups he asked users if they wanted control, and if so, if they prefer user-centric SAML or InfoCards. Although the number were too small to be statistically significant, there was a surprisingly clear consensus on what the users preferred: user controlled privacy through user-centric SAML. This thus also is what we recommended to SURFnet.

Although I expected that they would like the card-like user interface that InfoCard offers, the user we interviewed did not. We think this is mostly because they were unfamiliar with it, and therefore did not really trust it.

The research outcomes were written down in two reports: the first report discusses the state-of-the-art, design guidelines for user-centric SAML and architectural analysis on using InfoCard vs user-centric SAML. The second report contains the outcomes of the user study. My apologies to non-Dutch speakers: both reports are in Dutch, as requested by our client.

We are continuing the research on user controlled privacy this year, focusing on the user interaction (prototyping, further user studies) and the architectural consequences of user-centric SAML for the SURFfederatie.

My employer organizes networking events called Tuesday Update by Novay. The theme this time was identity, and more specifically consumer identity (consumer2business). We had an audience that was a very good mix of business people (financial industry, some media, some operators), government, ‘identity industry’ and people who more generally are involved with innovation. It was an interesting and lively event!

We invited Frank Leyman from FEDICT to give a talk on the Belgian eID, and it’s usage for consumer identity. FEDICT is the Belgian government organization responsible for the eID card. The Belgian government eID can, contrary to the Netherlands, be used by private businesses, and they appear to be ahead of the Netherlands in this area (e.g., an actual eID card …). This made it a very interesting case, and Frank explained the different functionalities very well. See here for his slides.

We also invited Yme Bosma from Hyves to present the Hyves view on identity. Hyves is the by-far-largest Dutch social network, and Hyves is, as its US/international counterparts, becoming an Identity Provider for low-trust identity. Think OpenID, oAuth etc. Hyves is, with some limitations, also a relying party. What’s especially interesting to me is that Yme is quite straightforward on their business case (my wording): we provide more value to our users, and it’s easy to do, so we do it. See http://docs.google.com/a/yme.nl/present/view?id=dg22g52h_10c29qhvdj for his slides.

I also gave a presentation, discussing among other business models, market entry en privacy aspects. And I advocated user centric identity, and our personal buzzword: mobile centric identity. I also briefly discussed our high-trust consumer identity for the Netherlands project proposal, and the OpenID.nl+ initiative (by ECP-EPN) which I’m becoming more involved in (as project manager for the proof-of-concept). See http://www.slideshare.net/wegdam/consumer-identity-tuesday-update-on-1-december-2009 for my slides (the first few slides have some Dutch, but don’t worry, you can easily skip those).

The first presentation was at the Dutch Identity 2009 event, which was co-located with ISSE 2009 this year. This took place in Schevingen (The Hague), on 6-7 October 2009.  I presented my views on trend in identity federation, and user centric identity. Among others, I argued that SAML is just as user centric than OpenID, or at least, can and should be…

Highlights on Identity/ISSE 2009 for me were the presentations by Don Schmidt (Microsoft), who talked about claim-based identity, and a presentation on the Norwegian BankID, which discussed the status of the Norwegian collaboration between banks to provide identity services to public and private sector.

The second presentation was at the National eID & ePassport conference, which is taking place as I type this (22-23 October 2009), in Lisbon. It was organized by among others Multicert, who invited me to talk about and discuss mobile centric identity. It was an audience not very familiar with user centric identity, so I first introduced this. I then argued that this implies mobile centric identity, and that using the mobile phone is only the first step towards mobile centric identity.