Below a contribution I wrote for the IDentity.Next newsletter (I’m on the expert panel) on mobile-centric identity, see also http://www.identitynext.nl/news.php?id=22.
Mobile phone – the remote control of our (digital) identity?
For most people the mobile (smart) phone is the most personal device they have. You carry it with you almost always, you rarely let others use it and you notice it is gone very quickly. Combine this with the smart phone becoming a mature and popular channel to online services, and you realize the importance of your mobile phone for your digital identity. The term user centric identity was (or still is) quite popular the last few years, going further I’m a strong believer in mobile centric identity: the mobile phone as the central component to control your digital identity.
I distinguish three ways in which this is happening:
1. The mobile phone as authentication device– this is already happening and is progressing, especially one-time-passwords over SMS are pretty common. But also apps for Android or iPhone with one-time-password generators, or Mobile PKI which exploits the SIM card for more security.
2. Authentication for the mobile channel– this is still a struggle, even more than identity on the ‘fixed’ internet. Typing passwords is a huge hassle on mobile phones, and providing these to random and barely trusted mobile apps is not a good idea (for example a third party mobile banking app). Common stronger authentication means like smartcards-with-readers or one-time-password tokens are not really an option since no one wants to carry additional devices with them. Also identity federation standards like SAML WebSSO and OpenID are not really suitable for mobile phones. We’ve been using oAuth for mobile Apps, which may not be the final solution but is a step into the right direction if ‘medium’ security is good enough.
3. Control your privacy on your mobile phone – I, and many with me, believe that sharing personal data can make our lives easier, but that the user should be in control of this. A single point of control for this is the way to go, for example determine in a central place who should get access to my new home address, and my location updates. This starts at basic consent functionality when using external identities (e.g., OpenID), but goes all the way to Personal Data Ecosystem, Vendor Relationship Management and User Managed Access ambitions. The mobile could be the trusted device to control this. This is far from reality nowadays.
A major risk for the success and speed in which mobile centric identity will come to be is if we are successful in keeping the mobile phone secure enough for this. This has not been a major issue yet, but for sure requires attention (for example, ENISA report or KuppingerCole Top Trends 2011). Solutions that are part of the operating system and/or exploit trusted hardware like the SIM card may prove most successful.
Related to identity is always payment, and although slower than expected the signs are good that NFC technology (for mobile payments) will get a significant penetration to mobile phones the coming years. Also, at least in the Netherlands, banks and mobile operators have joint forces to make mobile payment possible. Your mobile phone may very well replace both the coins and the bank/smartcards that are now in your wallet. It will be interesting to see how, how fast and who will profit from this!
Maarten Wegdam (principal researcher at Novay – member of IDentity.Next expert panel)