Filed Under: Identification and Authentication, People

Control centre

Leave a Comment

[Dave Birch] Andre Duran, the CEO of Ping Identity, and a chap who knows a thing or two about digital identity, said earlier in the year that there are four “megatrends” that are changing the landscape for interaction. These are…

…cloud, social, mobile and big data. The world looks very different today than it did even five years ago. And so our thinking and our solutions must change with it.

[From 4 Megatrends That Will Transform Online Identity – Forbes]

I don’t think anyone would disagree. Digital identity is core to the connection between these trends, which I’m sure is one of the reasons why the accountants Deloitte flagged up digital identity as one of their “technologies to watch” or something similar for 2012. So they’re on my page, as I believe the young people say. But it’s one thing to say “digital identity” and another to turn it into an element of organisational strategy, and one of the main reason why is that the term is diffuse. To me, digital identity means something quite specific. But that’s not, I think, generally true.

Former Twitter CEO Evan Williams noted in a blog post this weekend that online identity is one of the thorniest issues any web-based service has to deal with — in part because the word “identity” means a number of different things.

[From Online Identity Isn’t a Transaction — It’s a Feeling: Tech News and Analysis «]

True. And I suppose I might reasonably be accused of sticking to more technology-centric or “tool-centric” definition, but I prefer to do that because it is more specific.

This is a very tool-centric, or marketing-centric approach, and leaves out — or dismisses — all the messy and interesting philosophical aspects of identity. Consider issues like publicy: How much of these various aspects of identity do you want to be revealed? Or context-based identity: you are a different you with the bowling league, at work, or on Suicide Girls.

[From Evan Williams | evhead: Five Easy Pieces of Online Identity | Stowe Boyd]

Digital identity means different things to different people, naturally, but I think one of the common threads that I am beginning to see is control. Could it be that “control” is the key concept that will bring digital identity alive for businesses and consumers alike?

Personal, which Forrester Research has identified as a leader in the emerging personal identity management space, is focused on empowering consumers to take control over their own data. Doug Wheeler, co-founder and COO of Personal, described the company as a “private network where users store all of life’s important details in bite size pieces called data ‘gems.’

[From CMOs: Are You Ready For the Next Technology Revolution? – Forbes]

I make no comment about whether their technology or business is any good, but refer to this snippet in order to make a different point: that technologists like me will get nowhere without the marketing guys. It’s “data gems” that sell, not “digitally-signed NDEFs containing references to personally-identifiable information”. One of my constant complaints about the world of digital identity, data privacy and the apparently paradoxical online world that delivers simultaneously more security and more privacy is that it remains disconnected from the marketing and commercial side of organisations such as, for example, mobile operators.

Fighting technology with technology seems most promising—by replacing ID cards with phones.

[From Fake ID cards: Identity crisis | The Economist]

I think the first serious “identity in phone” project that Consult Hyperion worked on was for the Japanese company NTT Data, and that was a decade or so ago. Yet the concept doesn’t seem to making much progress in the mainstream. I’d quite like to use a standard phone-based identity to access most services and it drives me to distraction to have to deal with hundreds of different usernames, password, PINs, secret words and personal questions to get what I want to get online. I have all of them stored in an app on my phone anyway (I happen to use “SplashID”, which is pretty good, but I’m always forgetting to add things into it) and I’d really like to avoid problems like this morning, when I had to do something in Firefox and it asked me for a “Master Security Password” that I had absolutely no memory of).

Why the slow going? Maybe it’s something to do with the packaging. If we could package the digital identity message properly, with a common understanding of the term and a shared narrative that animates it, so that we can connect with the commercial guys, then I think we could reasonably expect growth. You’d think the accountant-style persons in operators and elsewhere would be all over it, because the scale of the problem is huge and the opportunity to do something about it — because of the frameworks that are coming into place, the technologies available to us and the experience already built up — is immediate.

Cases of online fraud have increased threefold compared to 2010, partly due to consumers having a large number of web accounts, according to new research.

[From Online fraud: too many accounts, too few passwords | News | TechRadar]

But. There’s still not a lot happening. I have a memory of a Vodafone woking on something around a decade ago, and Turkcell have some services live, but there’s a disconnection somewhere. Mobile operators seem, to me, to be the natural providers of a digital identity infrastructure and one of the natural providers of identity and attribute services that could take advantage of it. How? Earlier this year, Assaf Bielski wrote a succinct prescription when commenting on the slow uptake of service (e.g., the Estonian mobile ID, which has only 30,000 users).

The best way to to this is to engage with the rest of the digital identity community that tries to solves these problems globally (see earlier post), and add the MNO assets, the mobile device and the SIM to it, and not to treat it as a stand-alone service.

[From What about mobile ID | It’s all about ID]

Exactly. Who cares about “Joyn“. I want standard, open and interoperable digital identity with the keys in tamper-resistant hardware. Why don’t the mobile operators start with OpenID on their own sites (so I don’t have to mess about remembering different passwords for O2, Orange, 3 and Virgin) and then enable 2FA OAuth2 using SIM-based keys. Eating your own dog food, I believe our transatlantic cousins call it. If millions of mobile customers began using it for operator services, then it would presumably become attractive for other service providers to use it and thus become a market for value-added services.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

One thought on “Control centre”

  1. bcsl@blueyonder.co.uk' David Moss says:

    Dave Birch: “… it drives me to distraction to have to deal with hundreds of different usernames, password, PINs, secret words and personal questions to get what I want to get online …”

    It must have occurred to you that all that diversity makes you safer, it is a security feature, it avoids a single point of weakness, the alternative could be a threat to you, there is a balance to be struck between convenience and security. Is it possible to have both? Convenience and security.

    The Government Digital Service need Identity Assurance to make all public services digital by default. GDS believe we should all have a PDS, a personal data store, which would exist somewhere in the cloud and which, with other infrastructure, could provide the credentials needed to authorise our access to those services.

    Mydex is one company which seeks to provide PDSs. Mydex is associated with Ctrl-Shift, a consultancy which advises some government departments. Ctrl-Shift produced a report, Identity Assurance, which says, Birchlike:

    Instead of each separate organisation providing the customer with their own, unique identity for the purposes of dealing with only that organisation (an approach leading to individuals having to manage scores of different identity attributes such as usernames, passwords etc.), individuals could have one, single identity that they can use with many different organisations.”

    Can you think of any reason why 60 million of us should entrust our identity to Mydex and to the cloud? That’s the Cabinet Office and the Department for Business Innovation and Skills want us to do. Do you think it would be wise for 60 million of us to accede?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.