[Dave Birch] I’m as exasperated as everyone else about the hopeless nature of identification and authentication for financial services. When I log on to my bank at home, I have a dongle. I can log on from my smartphone using a password (that I’ve forgotten) or I can call the telephone banking centre using a different password (that I’ve also forgotten, so when I last called I had to go through a set of security questions again). If I log into my bank’s credit card subsidiary, I don’t use the dongle but an entirely different password. The dongle used for my work bank account with bank A is entirely different to (and incompatible with) the dongle for my home account from bank B.
This is bonkers: a nearly optimal waste of everyone’s time and money. It’s impossible to understand how we go into this mess, but it should be a lot easier to get out of it. A key reason for this is that consumers now have their own devices — smartphones and tablets — that are capable of supporting strong identification and authentication. There’s no need of the banks to provide smart cards, dongles or anything else. The brilliant Eve Maler (“@xmlgrrl”) notes this shift.
The category that quickly became my favorite was “bring-your-own-token.” BYOT is Forrester’s term for the various methods (sometimes called “tokenless”) that leverage the devices, applications, and communications channels users already have.
BYOT doesn’t quite work for me. Maybe “COD” (customer-owned-device) or “MYTH” (MY THingy) would be catchier. Nonetheless, Eve is spot on. We all know what that thingy would be, by the way.
Fighting technology with technology seems most promising—by replacing ID cards with phones.
Without diverting into architecture, it seems transparently obvious that the consumer’s own phone should be their key. In effect, this would enable consumers to deal with a single token and authentication service. That should mean that they are able to take advantage of a framework such as the National Strategy for Trusted Identity in Cyberspace (NSTIC) in a convenient and manageable way. They would be able
to be known anywhere online and reduce passwords down to one password. Those benefits are easy. The core question remains as to how identity is proven by the Identity Provider (IDP). The document says the right things here, but the devil remains in the details of how this will be achieved. How would I, Colin Henderson, be personally identified and associated with my online ID such that a bank would trust it?
I don’t think this is what will happen in practice, because there is a difference between asserting that an identity is unique and authentication, and asserting that that identity is you or me. I think it will work differently, and in a better way, but since I refuse to provide free consultancy to the government on this, I won’t say how… oh, all right then. Here’s one way it could work…
I log in to some service, let’s say the tax authority, using the complicated question/answer, username/password, e-mail/mobile phone or whatever else it is they use at the moment.
Once I’ve logged in, having established my identity to the satisfaction, not to mention legal minimum standard, for the service provide, I tell them that I’d like to log in future using Barclays’ OpenID service (I’ve made this up, there is no such thing). I put in my debit card number and a message pops up on my phone asking for my personal number. I enter the number. The tax site says OK.
From then on, I can log in to the tax authority using my Barclays’ OpenID service. Barclays isn’t, in this example, telling the tax people that I am Dave Birch or what my NI number is or anything else. All it is doing is tell the tax people that this is the same identity that they, not Barclays, have associated with the tax identity. This isn’t only about banking or financial services. It is, for example, how I had anticipated things would work under the Cabinet Office’s proposed Identity Assurance (IDA) scheme. I go to, say, DWP and authenticate myself to them using whatever antiquated process they see fit, but presumably involving national insurance numbers, mothers’ maiden names and that sort of thing. Once they know who I am, I present my token (imperfectly, in the short term, my mobile phone number). From then, I can log in to DWP using my mobile phone number.
It would be very nice to move towards a minimum standard for token access to private and public services, a sort of standard remote control for cloud identity, though, and preferably one based on open standards. If we bring together MYTH and OAUTH/UMA/OpenID Connect, then, is the problem solved? Can the Cabinet Office or the Payments Council or whoever then mandate the change? Not quite. There are requirements for identity management in the financial services space that are not the same as in other spaces.
For some of the eighty and ninety years olds who spoke to the researchers mobility problems and a lack of experience with modern bank accounts meant they received help from others in making financial transactions. Most commonly, would ask trusted third-parties such as family members or caregivers to withdraw money on their behalf. What is required is some mechanism for delegating small well defined financial tasks to another individual in a way that limits the risk of abuse of the necessary relationship of trust by either party.
This is a very good example of the kind of service that needs to be delivered in the financial services space. If I have a senile parent, for example, they wouldn’t delegate their passport to me. But they might need to delegate control over their virtual identity for financial services to me. So I should be able to link the MYTH for my bank account to my father’s bank account for certain limited purposes.
It should be a priority in the financial sector to develop the requirements for the identity and attribute services that they need and a priority for (amongst others) mobile operators to begin developing services that meet those requirements. This is the sort of thing that I will be talking about at the Identity.next conference “Making (y)our business with digital identity” in The Hague on 20th-21st November 2012 so I look forward to seeing you there and discussing what the financial sector’s real requirements for digital identity might be.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers