Upload
buikien
View
214
Download
0
Embed Size (px)
Citation preview
TELECOM ITALIA GROUP
Mobile Digital IdentityOpportunities and use cases
Sophia Antipolis, 2015, 25th June
ETSI – Security WEEK – eIDAS Stream
Maura Turolla, Sara Della LunaTelecom Italia Strategy & Innovation
2
Digital Identity Problem
Sources: GSMA 2014, Rapporto OCSE 2013, Contact lab European Digital behaviour study 2013, Ricerca Censis 2013
82,4% of users belive that personal data sharing on the web is dangerous
89% of users looks for products and brands, but only 34% buy it
40% of users authorize personal data processing only with trusted provider
92% of users leave the website in case of password forgotten or new registration
Since 2005 more than 500 Millionsidentity thefts
148.000 PCs risk to be hacked everyday
«password» is the most popularpassword
In average a user has 26 logins and only5 passwords
Worldwide problem Italian’s online behaviour
3
TI would support Public&Private Industries in the Digital Transformation, assisting citizens in their Trusted Digital Life…
Consumer Services(e-Banking, e-Payment, Retail, Utilities,
Transportation, …)
ID National and ITZ(e-Governement, e-Voting, e-Health,
e-school, …)
Corporate(Badge, Enterprise smart login, VPN
access, Authentication, …)
One Trusted Digital Identity… … all my Digital Life
Certified Identity ProfileStrong authentication credentials (2‐factors)Electronic Signature
4
…with a solution easy to use, really secure, privacy compliant:Mobile Digital Identity…
Identity Manager
Service Provider
Confirmation with a uniquePIN for all Online Services
3
Service Provider
User
Password M-ID
Login with
Login with Mobile Digital Identity
1
Identification and authenticationmanaged by a TrustedIdentity Manger
2
Example of Online Trust Login same experience to authorize any transaction, to share attributes
or to sign remotely any document
5
…also for proximity use cases (examples)
Trusted check‐inAccess to Office
building
Loyalty Card activationfully integrated with payment experience
6
Ecosystem Key Success Factors
SHARED RULES
Regulation, Trusted Players, Standardization and interoperability
“Trusted”Identity Managers
Service Providers Public or Private
Service Provider
User
PasswordM-ID
UserCitizens or businesses
Technology Solution Provider
Key Success Factors
COMMUNITY
Digital ID provisioning to the largest addressable
community
FEDERATED DIGITAL SERVICES
Allow the use of the same Digital ID hopefully to all Digital
Services
1 2 3
Telecom ItaliaMain accelerator Active acceleratorActive contributor
Telecom ItaliaTelecom Italia
7
Italian Regulation and SPID
SPID (Sistema Pubblico per l’Identità Digitale) is the new italian public system for the management of the digital identity of citizens and businesses
Currently SPID is focused on the Italian market in order to speed up Digital Government trasformation as a step 1, but it’s ready to evolve towards cross‐border scenarios
A «strong» verification of the user identity is always requested for the issuing.
3 Levels of Security
Level 1 is a one‐factor authentication (LoA2 of the ISO/IEC)
Level 2 is a two‐factors authentication with or without digital certificates (LoA3 of the ISO/IEC)
Level 3 is a two‐factors authentication with digital certificates, whose private keys are stored on devices that meet the requirements as set out in Annex 3 of Directive 1999/93/EC (LoA4 of the ISO/IEC)
8
MNOs Activities and Mobile Connect
Mobile Connect asymmetric approach can be implemented in the new generation SIM cards thatsupport: RSA 2048 / Elliptic Curves crypto accelerator Dedicated Security Domains to securely manage applets,
cards, personal data, keys and certificates of different Service Providers/Third PartiesThese SIMs can be used with all smartphones and old phones too
MNOs in GSMA are working on a common solution for Digital Identity: Mobile Connect
The GSMA Mobile Connect proposition includes many steps and roadmap
Mobile Connect Asymmetric solution (Maximum LoA) is crucial for the deployment of Public Administration services
9
Telecom Italia activities for rules, standardization and interoperability
SPID STORK GSMA
TI Trust Technologies Srl(100% Telecom Italia) issupporting SPID setup as a Certification Authority member of Assocertificatori
TI Trust technologies is a candidate to become a Digital Identity Manager
Secure Digital Identity Management project (‘14)
Use case: the use of AgPAtrusted certificates released by TI CA securely stored on Secure SIM card to access EU Site
Architecture: TI with native IDP Stork, cross‐border eIDusing the italian Stork PEP power by Politecnico di Torino TORSEC
Telecom Italia is active on commercial, technical and regulation groups
Telecom Italia is driving the evolution of new interoperable solution for Digital Commerce and Personal Data
Telecom Italia is the main contributor with Valimo for specification of Mobile Connect with LoA4 and PKI solution
10
Comments on eIDAS Regulation TI emphasizes the importance of the eIDAS regulation which will provide legal and regulatory certainty across MemberStates and stakeholders for digital identification and trust services.
Below the main comments on the regulation, agreed with other MNOs in GSMA.
Reference to well‐established global standards (in both European and international context) We welcome that, forexample, the international standard ISO/IEC 29115 has been taken into account for the specifications and proceduresset out in the Regulation
Principle‐based and not over‐prescriptive interoperability framework. The interoperability framework for electronicidentification schemes should not be over‐prescriptive, but be principle‐based and take into account the criteria andminimum standards already applied within the Regulation.
Technology neutral specifications. We welcome the technology neutral approach introduced in the Regulation, to beindependent of the underlying technology and procedure used to deliver electronic signature for public services.
Appropriate supervision measures. We welcome the provisions set out in the Regulation regarding the trusted lists,that are important to guarantee a proportional and appropriate supervision of identity and trust services providers atnational and cross‐border level, achieving trust in the global ecosystem.
It’s important to promote and develop services taking into account the interconnection and interoperability betweennational eID schemes (e.g. Italian SPID) and eIDAS, according to the objectives of CONNECTING EUROPE FACILITY thatsupport the development of a Digital Single Market.
11
Community Creation
Strong verification of user Identity
and User T&C signature
Digital ID Database creation
Digital ID and credentials delivery
Certified Identity is the key differentiator on a Trusted Digital Life, mainly if compared with self‐asserted Identity (es. OTT players)
Trust Database, hosted and managed in Europe, subject to European privacy regulation, ready to interwork with central Database
Delivery of Mobile Digital ID credentials up to LoA4 (SIM‐based or App‐based), compliance with Regulation and interoperablewith all Ecosystems
Mobile Operators have a Secure Device for credentials (Secure SIM card), the issuing processes and a Customer Base which cover the whole Digital Population
12
Key Points and Next StepsExtend National identity solutions towards a harmonized European approach in order to avoid the fragmentation (eIDAS role).
Ensure Cross‐Country Interoperability
Create liaison and task forces among standardization bodies and associations: ETSI, GSMA, eIDAS… to accelerate development of projects and best practices
Build homogeneous and trust ecosystems without forgetting the user experience behind it
The customer dream is to have a single password for all the services
Service Providers require the right level of security for their services
The personal mobile phone enabled with Mobile Connect PKI SIM cards can satisfy all these needs