[Dave Birch] The award-winning BankID initiative in Norway is a very useful case study. It shows what can be done to implement digital identity services when there is a working partnership between people who have an application that needs digital identity services (ie, banks) and people who have the technology platform to deliver them (ie, mobile operators). Is this a special case? One might argue that Norway is a small market, a homogenous society, a place where the co-operation between banks and the operators is unusually close. Norwegians would co-operate in this way, others wouldn’t.
In Norway, the main mobile operator Telenor and the Post Office launched a mobile authentication service, SafeSign, a few years ago. While technically excellent, it never really gained any traction. The biggest problem was that there was no cost effective registration mechanism. So long as people had to sign bits of paper, it was just to expensive and too complicated (according to Telenor, only 21% of customers who were interested in the scheme ever made it through the registration process). Meanwhile, the Norwegian banks (who, of course, already have the customers registered) had started their own consortium to sort out identification and authentication, BankID. In 2005, Telenor and the Post Office gave up and sold SafeSign to BankID.
There had been other co-operation between banks and operators, meanwhile, on the payments side. Telenor and one of the banks (DnB) started a PKI-based service called SmartPay back in 2001. Again, the registration process proved a real barrier (and none of the other service providers were interested in using something that came from one operator and one bank). So again, the service failed.
Having had such early, and bad, experiences with either of these models (ie, no co-operation with banks or bilateral co-operation), Telenor decided to have another go. Telenor (the second operator is about to join) have agreed with BankID to implement their identity and authentication service on mobile phones using (essentially) the SafeSign technology. They will use OTA and STK to load the BankID application into the phone where it will use the PKI key pairs that have been (unused) in the SIMs since 2001. Customers will pay a monthly fee to be part of the service (eventually – it will be free from Telenor until they have a critical mass of around 300,000 customers on board) and service providers will pay a per transaction fee to the mobile operator. I said a long time ago that "SimID" might be more profitable than Simpay! The Norwegian implementation is follows my favourite SimID model: the service providers use virtual IDs (public key certificates), the mobile operator provides the digital identity (the key pair) and the bank binds the digital identity to the real person.
The Norwegian operators plan to pilot in 2007 and launch in 2008. One of the main uses of the scheme will be to use the mobile phone to provide simple and cost-effective two-factor authentication (2FA) for Internet banking. Some of the other services will be mobile top-up (always a way of kicking-off with volume), payment instruction and general-purpose authentication (the operators are hoping that the service will be adopted for corporate single sign-on which, since every single person in Norway has a mobile, is not a bad idea). Telenor has said that they expect to see it used over NFC interfaces for physical security as well. I can see how well this will work, because as consumers get used to punching in their mobile identity PIN when they want to do a transaction, so they will soon come to expect it: they may not even trust a service provider that doesn’t use the service.
This must be a model that other countries will follow with interest. Apart from anything else, if something like BankID succeeds, then the Norwegian government may find it cheaper and more convenient to use it than to roll-out their own authentication services, simply because of the penetration of mobiles (which is much higher than web penetration).
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]