TELECOM ITALIA GROUP

Mobile Digital IdentityOpportunities and use cases

Sophia Antipolis, 2015, 25th June

ETSI – Security WEEK – eIDAS Stream

Maura Turolla, Sara Della LunaTelecom Italia Strategy & Innovation

2

Digital Identity Problem

Sources: GSMA 2014, Rapporto OCSE 2013, Contact lab European Digital behaviour study 2013, Ricerca Censis 2013 

82,4% of users belive that personal data sharing on the web is dangerous

89% of users looks for products and brands, but only 34% buy it

40% of users authorize personal data processing only with trusted provider

92% of users leave the website in case of password forgotten or new registration

Since 2005 more than 500 Millionsidentity thefts

148.000 PCs risk to be hacked everyday

«password» is the most popularpassword

In average a user has 26 logins and only5 passwords

Worldwide problem Italian’s online behaviour

3

TI would support Public&Private Industries in the Digital Transformation, assisting citizens in their Trusted Digital Life…

Consumer Services(e-Banking, e-Payment, Retail, Utilities,

Transportation, …)

ID National and ITZ(e-Governement, e-Voting, e-Health,

e-school, …)

Corporate(Badge, Enterprise smart login, VPN

access, Authentication, …)

One Trusted Digital Identity… … all my Digital Life

Certified Identity ProfileStrong authentication credentials  (2‐factors)Electronic Signature

4

…with a solution easy to use, really secure, privacy compliant:Mobile Digital Identity…

Identity Manager

Service Provider

Confirmation with a uniquePIN for all Online Services

3

Service Provider

User

Password M-ID

Login with

Login with Mobile Digital Identity

1

Identification and authenticationmanaged by a TrustedIdentity Manger

2

Example of Online Trust Login same experience to authorize any transaction, to share attributes

or to sign remotely any document

5

…also for proximity use cases (examples)

Trusted check‐inAccess to Office 

building

Loyalty Card activationfully integrated with payment experience

6

Ecosystem Key Success Factors

SHARED RULES

Regulation, Trusted Players, Standardization and interoperability

“Trusted”Identity Managers

Service Providers Public or Private 

Service Provider

User

PasswordM-ID

UserCitizens or businesses

Technology Solution Provider

Key Success Factors

COMMUNITY

Digital ID provisioning to the largest addressable 

community 

FEDERATED DIGITAL SERVICES

Allow the use of the same Digital ID hopefully to all Digital 

Services 

1 2 3

Telecom ItaliaMain accelerator Active acceleratorActive contributor

Telecom ItaliaTelecom Italia

7

Italian Regulation and SPID

SPID (Sistema Pubblico per l’Identità Digitale) is the new italian public system for the management of the digital identity of citizens and businesses 

Currently SPID is focused on the Italian market in order to speed up Digital Government trasformation as a step 1, but it’s ready to evolve towards cross‐border scenarios

A «strong» verification of the user identity is always requested for the issuing. 

3 Levels of Security

Level 1 is a one‐factor authentication (LoA2 of the ISO/IEC)

Level 2 is a two‐factors authentication with or without digital certificates (LoA3 of the ISO/IEC)

Level 3 is a two‐factors authentication with digital certificates, whose private keys are stored on devices that meet the requirements as set out in Annex 3 of Directive 1999/93/EC (LoA4 of the ISO/IEC) 

8

MNOs Activities and Mobile Connect

Mobile Connect asymmetric approach can be implemented in the new generation SIM cards thatsupport: RSA 2048 / Elliptic Curves crypto accelerator Dedicated Security Domains to securely manage applets,

cards, personal data, keys and certificates of different Service Providers/Third PartiesThese SIMs can be used with all smartphones and old phones too

MNOs in GSMA are working on a common solution for Digital Identity: Mobile Connect 

The GSMA Mobile Connect proposition includes many steps and roadmap

Mobile Connect Asymmetric solution (Maximum LoA) is crucial for the deployment of Public Administration services

9

Telecom Italia activities for rules, standardization and interoperability

SPID STORK GSMA

TI Trust Technologies Srl(100% Telecom Italia) issupporting SPID setup as a Certification Authority member of Assocertificatori

TI Trust technologies is a candidate to become a Digital Identity Manager

Secure Digital Identity Management project (‘14)

Use case: the use of AgPAtrusted certificates released by TI CA securely stored on Secure SIM card to access EU Site

Architecture: TI with native IDP Stork, cross‐border eIDusing the italian Stork PEP power by Politecnico di Torino TORSEC

Telecom Italia is active on commercial, technical and regulation groups

Telecom Italia is driving the evolution of new interoperable solution for Digital Commerce and Personal Data

Telecom Italia is the main contributor with Valimo for specification of Mobile Connect with LoA4 and PKI solution

10

Comments on eIDAS Regulation TI emphasizes the importance of the eIDAS regulation which will provide legal and regulatory certainty across MemberStates and stakeholders for digital identification and trust services.

Below the main comments on the regulation, agreed with other MNOs in GSMA.

Reference to well‐established global standards (in both European and international context) We welcome that, forexample, the international standard ISO/IEC 29115 has been taken into account for the specifications and proceduresset out in the Regulation

Principle‐based and not over‐prescriptive interoperability framework. The interoperability framework for electronicidentification schemes should not be over‐prescriptive, but be principle‐based and take into account the criteria andminimum standards already applied within the Regulation.

Technology neutral specifications. We welcome the technology neutral approach introduced in the Regulation, to beindependent of the underlying technology and procedure used to deliver electronic signature for public services.

Appropriate supervision measures. We welcome the provisions set out in the Regulation regarding the trusted lists,that are important to guarantee a proportional and appropriate supervision of identity and trust services providers atnational and cross‐border level, achieving trust in the global ecosystem.

It’s important to promote and develop services taking into account the interconnection and interoperability betweennational eID schemes (e.g. Italian SPID) and eIDAS, according to the objectives of CONNECTING EUROPE FACILITY thatsupport the development of a Digital Single Market.

11

Community Creation

Strong verification of user Identity 

and User T&C signature

Digital ID Database creation

Digital ID and credentials delivery

Certified Identity is the key differentiator on a Trusted Digital Life, mainly if compared with self‐asserted Identity (es. OTT players)

Trust Database, hosted and managed in Europe, subject to European privacy regulation, ready to interwork with central Database

Delivery of Mobile Digital ID credentials up to LoA4 (SIM‐based or App‐based), compliance with Regulation and interoperablewith all Ecosystems

Mobile Operators have a Secure Device for credentials (Secure SIM card), the issuing  processes and a Customer Base which cover the whole Digital Population

12

Key Points and Next StepsExtend National identity  solutions towards a harmonized European approach in order to avoid the fragmentation (eIDAS role). 

Ensure Cross‐Country Interoperability

Create liaison and task forces among standardization bodies and associations: ETSI, GSMA, eIDAS… to accelerate development of  projects and best practices

Build homogeneous and trust ecosystems without forgetting the user experience behind it

The customer dream is  to have a single password for all the services

Service Providers require the right level of security for their services

The personal mobile phone enabled with Mobile Connect PKI SIM cards can satisfy all these needs

13

Thank you