FIDO and its place in the eID ecosystem



FIDO stands for Fast Identity Online. FIDO is a new authentication specification that makes it easier to integrate with and re-use non-password authentication means: what-you-have and what-you-are. The specification was published in a v1.0 version last December by the FIDO Alliance, which unites an impressive list of large companies (e.g., Microsoft, Google, Samsung) and smaller authentication companies (e.g., Authasas, Yubico, Nok Nok Labs) to “define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.

Last Friday (23 January 2015) PIMN organized a seminar on FIDO,  which was fully booked with a waiting list even. In this blogpost I’ll summarize what I learned and what I presented on “FIDO and its place in the identity ecosystem”.

Read the rest of this entry »

Re-usable identities instead of different passwords everywhere



Below is a blog post in Dutch on re-usable identities instead of different passwords for all websites. The trigger for the blogpost is that Hold Security released the Dutch (or actually, .nl) part of the logindata/emailadresses that they discovered to be hacked. The NCSC (National Dutch Cyber Security Centre) IMHO focusses to much on educating users to prevent this, contrary to fnding/promoting solutions such as re-usable identities, including the Dutch eID Stelsel NL (similar to NSTIC in the US).

Read the rest of this entry »

PayPal and Dutch banks as identity provider



Today I received an email from PayPal to inform me on updates they are making in their legal terms related to “Log in with PayPal”. That PayPal wants to be an identity provider is nothing new, but this update was a good reason to blog about opportunities for Dutch banks to introduce innovative services in the area of digital identity. See below the cross-post in Dutch from the InnoValor website on this subject.

PayPal en banken als inlogmethode

Paypal heeft vandaag aanpassingen aan de gebruikersovereenkomst bekend gemaakt. Opvallendste voor mij was de toevoeging van “PayPal als inlogmethode”, oftewel, PayPal als identity provider. PayPal is overigens al langere tijd zich aan het positioneren als identity provider. ”PayPal als inloginmethode” is erg vergelijkbaar met hoe Facebook Connect of andere social logins werken, je logt in bij een wesite van een derde partij door op een button te klikken die je browser redirect naar bijvoorbeeld Facebook waar je inlogt met de gebruikersnaam/wachtwoord die je gebruikt voor Facebook. Qua user experience en werking niet heel veel anders dan DigiD overigens. Geen nieuwe wachtwoorden voor elke site, minder gedoe met registreren etc. Voor de techies: PayPal gebruikt OpenID Connect hiervoor, DigiD gebruikt SAML.

Read the rest of this entry »

The challenges for a Dutch eID



My colleague Wolfgang Ebbers is a blogger for iBestuur. iBestuur is an independent platform for i-government (the i stands for information). In his latest blogpost he discusses a recent letter from the minister of Internal Affairs on the minister’s vision on digitale government 2017. Wolfgang zooms in on the role of an eID solution in this vision, and interviews me on what I consider are important challenges for the Dutch eID framework that the Dutch government is working on. I basically try to make five points.  I start with that (i) it is good that there is now an eID framework vision that is broadly supported by different parts of the Dutch government, and that it also extends to consumer-2-business. Then I make the point that the unclarity/uncertainty on how this vision will be implemented causes initiatives for eID solutions to wait. Then I discuss some major challenges:  (iii)  the business model (who is paying, private sector vs government vs consumer, market entry), (iv) the privacy aspects, including the trade-off between privacy, costs, security and convenience and (v) redundancy in the framework (e.g., authentication means) including that it is difficult to create the desired level-playing field between government and private sector.

The complete blogpost can be found here (in Dutch). For your convenience, I also copied the text below:

Read the rest of this entry »

Privacy and security in an eID solution?



In the Netherlands we have a digitale identity solution, called DigiD, for citizins that want to use e-government services. It is used quite a lot (compared to e.g. Belgium or Germany), but not very secure (only SMS as second factor, and verification via a well-known address contrary to e.g. face-2-face). The Dutch government is now working on a more secure eID solution, as part of an bigger identity trust framework that is called “eID stelsel” (roughly translates to eID scheme or eID framework). In the below blog post (in Dutch …) we discuss this, and zoom in on the IRMA research project in which we participate. IRMA smartcard aims to be both secure and privacy friendly (attributes, double blind certificates etc).

Een betrouwbaardere en privacyvriendelijkere DigiD

In een kamerbrief over de toekomstbestendigheid van Nederlandse identiteits-infrastructuur, schrijft minister Plasterk dat DigiD, in de huidige vorm, op korte termijn niet meer voldoende beveiliging biedt voor nieuwe gevoelige e-overheids diensten. Voor deze diensten is een veiligere eID oplossing nodig. Te denken valt dan, bijvoorbeeld, aan toekomstige diensten als toegang van patiënten tot hun elektronische patientendossier.

Read the rest of this entry »

Guide to classifying e-services to Levels of Assurance: a good first step


A Dutch government body responsible for establishing open standards for elektronic exchange (Forum Standaardisatie) published a guide for government service providers to help them classify e-services to Levels of Assurance. They use the EU STORK Quality Authentication Assurance levels for this, which classify authentication solutions in four levels. Since Novay was responsible for defining these levels in the EU STORK project, and we’ve helped several clients in applying STORK levels, we read this guide with great interest. In the below text we discuss the Levels of Assurance concept, and give our opinion on the guide.

Read the rest of this entry »

Looking back at 2011: what was new, and what could have been (IDentity.Next newsletter)


I wrote an article for the IDentity.Next newsletter that came out today (21 December 2011). It is here, and for convenience, also copied below.

Looking back at 2011: what was new, and what could have been


With 2011 almost over, the question IDentity.News had for me was to look back to 2011 what were new developments in the area of digital identity. Since I’m in the business of innovation, looking forward is more in my DNA than looking back. And so a little out of my comfort zone, below three major new developments of 2011, and, also, three developments that did not happen in 2011.

1. Trust frameworks– in the US (e.g. NSTIC, OIX), in NL (e.g. eHerkenning) and elsewhere trust frameworks as a way to ensure a fair and trusted ecosystem to provide identity-related services are catching on. Experience with large scale deployment is still limited though. I guess we just have to do and learn. And the alternative for trust frameworks (i.e. government issued identities) also stays popular (e.g., the new German ID card, the Dutch DigiD/eNIK).

2. Cloud and identity-as-a-service– it seems impossible for a self-respecting event in the area of identity not to spend significant time on the combination of cloud and identity. And something similar seems to apply to identity experts J. There is also progress here; especially commercial offerings of identity-as-a-service have been progressing. On making the cloud identity-enabled, things have developed slower than I would have expected a year ago. Although I guess everyone (?) agrees that companies want to have centralized authentication, authorization and provisioning (efficiency, control etc), adoption of standards is still too limited, which is at least part of the reason this is going slow.

3. DigiNotar (and other security fiasco’s in the identity area) – while a disaster for DigiNotar and potentially a huge disaster for an unknown number of Iranians, there is actually a bright side. It resulted in more attention at ‘higher levels in organizations’ for information security and identity. And I’m sure many security consultants had sufficient work in second half of 2011. The downside of this attention is that I rather have digital identity associated with ‘enabling online services’ than with security risks.

There are also three developments that did not happen, but could have. I stay close to home for these.

What first comes to mind is that there is still no clarity on introduction of a Dutch electronic identity card (eNIK), although the responsible Minister of Internal Affairs promised parliament a proposal before the end of the year (still two weeks to go!).

What also did not happen in the Netherlands is the Dutch national electronic health record, instead the Dutch senate seems to prefer faxes, or maybe smoke signals. Not that the proposed law they stopped did not have its flaws from a privacy and authorization perspective. But the proposal could have been improved upon, and current practise is much worse in my opinion. Hopefully the Dutch national health record will continue in another form, there are signs it might.

The third development that did not happen is a breakthrough in a re-usable consumer identity solution on Dutch national or, even better, European or worldwide scale: we still have the same long list of username/passwords for every website that offers personalization.

Maarten Wegdam (principal consultant Novay – IDentity.Next member panel)