Consumer and Citizen Identities: Government Issued or Trust Frameworks?Maarten Wegdam, Novay

European Identity Conference 201112 May 2011, Munich

Novay?

• Independent Dutch ICT research institute• Formerly Telematica Instituut• “People driven, ICT empowered”• ~55 researchers, multi-disciplinary• Innovation projects• Including financial sector, government and semi-

government

2

Old problem

3

[New Yorker cartoon by Peter Steiner]

What to expect?

• Re-usable identities are the way to go

• Government vs trust framework: they co-exist

• Banks and government are key

• Convincing relying parties: needed and hard work

4

Identity in the offline world

5

And online?

6

Id theft Avoidable costsLost revenues (?)

Frustrated users Privacy/control issues

Solution: re-usable identities

7

(One or) a few trusted identities

Of course: secure & trusted

Of course: user controlled, privacy sensitive

Trust in an identity

8

Authenticationmeans

Identity binding

Level of Assurance

Challenges for trusted re-usable identities

9

lack of trust in Id Provider

privacy issues

market entry

issues

The big choice: government or market as identity provider

• Government – as in offline world

• Market – as phone, internet access, email etc

10

• Government – as in offline world

• Market – as phone, internet access, email etc

• Some form of controlled market

The big choice: government or market as identity provider

11

12

Decreasing (government) control

Note: models 1 to 3 require some form of monopoly or regulator

Government issued

Government regulated

Trust framework

Free market (tech standard)

To have more trust and a healthy ecosystem• A fair business model• New identity providers can join• Easy access for relying parties (scalability)• Balancing interests between players• Privacy assurances• Governance / audits• Support one or more levels of assurance

13

Identity trust framework = a set of rules that all players agree upon

Success criteria C2B/C2G identity

• Frequent use of eID essential

• For private AND public services (C2B & C2G)

• Bank involvement seems key

• Government governance required

• Easy entrance for relying parties

• Ease of use for end-users

• High (100%?) user penetration needed[based on use cases study in DK,BE.DE,NO,SE,EE,US in 2010]

14

15

Easier market entry• 100% user coverage• gov as relying partyClearer bus modelNeutral brandingPrivacy of Relying party

Innovation ‘friendlier’User choiceInternational is easier (?)Benefits of competition …Re-use existing identities

Trust: cultural?User privacy: one big brother or several medium brothers?

Government issued eID Identity trust framework

use-case: trusted and re-usable consumer identity in NL

16

ConsortiumFinancial sectorVision on trust frameworkFeasibility

vision on trust framework

• Business model – users should not pay (directly)• Business case – re-use existing identities• Very easy for relying parties to connect• Several levels of assurance – ‘mid’ trust and up• Mobile – from the start• Privacy – state-of-the-art and consent• Government needed for trust (link to eRecognition)

17

: my lessons learned

• High-level mngt in financial industry do not understand nerdy terms like trust frameworks

• Government needs to be ‘predictable’ !!!• Relying parties: so they don’t wait for gov• Identity providers: trust & no competition

• Re-use existing & trusted: you need (all ?) banks as identity providers

• not core business, there are risks, and unclear business case ...

18

My 2 cents for relying parties

• Re-use identities from others when you can• Heterogeneity - no 1-identity-to-rule-them all, accept

heterogeneity as inevitable• Stimulate trust frameworks - it is in your interest to

reduce heterogeneity without introducing a monopoly• Architect your identity system to accept different

levels of assurance, from different parties

• If you have customers from only one nation, can wait a couple of years and live in a government-issued C2B eID country: things may be simpler.

19

5 things to keep an eye on

1. Will social login (Facebook etc) become more trustworthy?

2. Will domain-specific trust frameworks expand, e.g. higher education?

3. Are four levels-of-assurance (trust levels) really needed? Will users understand?

4. What is the value of an authentication for a relying party? (BankID is pretty cheap …)

5. Are trust frameworks also about trusting the relying parties?

20

Take aways

• Re-usable identities are the way to go• If both C2B and C2G: easier market entry, cheaper

• Government vs trust framework: they co-exist• Privacy, political, legacy, legislation are factors

• Banks and government are key• Market penetration as identity providers

• Killer apps as relying parties

• Trust

• Convincing relying parties: needed and hard work

21

More information:maarten.wegdam@novay.nl http://maarten.wegdam.name