What about mobile ID

In the last few years there have been few mobile identity services launched by mobile operators. The pioneers are the Scandinavian operators and the Turkish operator Turkcell, but similar services exist in Estonia, Latvia and Switzerland.

What do I mean by mobile ID?

Well, it is basically an “identity card” on your phone, which you can “present” to an online service through typing in a PIN code on the phone. The application on the SIM then verifies the user’s identity for the online service. A simple implementation of the service can be seen here.

In order to obtain this digital ID card, you need to have a compatible SIM-card with the necessary application. Then, you would need to register. This is usually done face-to-face, where the actual identity is verified before the SIM-card is loaded with the mobile ID and a pin code is provided. From this point on the mobile ID can be used with any compatible service. Currently, those are usually government and financial services.

The benefits of the service are huge – First, this is a way to identify users once for multiple services, which saves time, hassle and costs  for customers and service providers: the lengthy face-to-face process is only done once. Second, it’s a way to do many more sensitive transactions online: from opening a bank account to applying for welfare benefits, from signing major contracts to voting. And third, it increases security significantly – the use of the phone enables 2-factor authentication and the SIM-based PKI encryption is very strong. This is a level of security that is only achievable with Physical hardware token, which hurt customer experience considerably and not always practical to use.

So why is the success of those services so mild? Turkcell, the first operator to launch this kind of service in 2007, had about 80,000 users at the end of 2010, out of   more than 33 million customers. Adoption in Scandinavia and the Baltic is also in the tens of thousands. There are several explenations, but they all come down to onw: They are not user-centric.

When engaging in online services, people care mostly about convenience. Online security is also important, but not enough – we all know this since we use the same easy-to-remember password for many accounts. All the services launched aren’t focused on improving user experience online, but on providing an extra layer of security, which does not appeal to customers.Its especially true if in order to get it you to go into the operator’s store to register, and in some cases even pay for the service.

The solution is, as always, to focus on the customer. Operators need to think how can they improve the online identification experience, and only later to add their security features to the mix. This might mean that starting from simple authentication mechanisms, such as apps, and only later advance to complex SIM-based processes. The best way to to this is to engage with the rest of the digital identity community that tries to solves these problems globally (see earlier post), and add the MNO assets, the mobile device and the SIM to it, and not to treat it as a stand-alone service. When customers enjoy a better online experience, the security features that accompany it will come more naturally. As in many other areas, mobile operators need to start with the digital customer, and partner with those who know how to solve her problems, only the combination of that with mobile assets will produce a winning solution.

So why talk about identity now?

User-centric identity is not a new concept. I met people that have been in this space for over 10 years, and certainly in the last 5 years there has been a lot of activity in this space, especially around developing new standards for identity. But all this time digital identity remained in the domain of a small community of specialists and evangelists.

But in the last year a few major developments took place, and in my view it represent a shift to the mainstream. First, the internet community started consolidating around a small number of standards that will enable interoperability – companies such as Google, Microsoft, Yahoo, Paypal and Verizon put their weight behind the core standards of the future identity ecosystem, and at the end of 2011 came up with “Open ID connect“, the standard that will hopefully make it all much easier.

And this activity is not limited to standards. Most of us already use the most successful identity provider so far – facebook. With “facebook connect”, you can now login to thousands of websites. Google, in the meantime, consolidated their users’ identity across all their (and others’) services, in a way that enables new uses of our personal data. Paypal, at the end of last year, launched the first identity service aimed at E-commerce services, “PayPal Access“.

Second, governments understood that the issue of trust in online identities is crucial, for both public service as well as the market in general. Therefore, the US government  published the “National Strategy for Trusted Identities in Cyberspace“, and the UK put into motion its own “ID Assurance” program. Their objective is to create a market of identity providers that will cater for both government digital services as well as the private sector. In concurrence with this, the World Economic Forum started a working group titled “Rethinking Personal Data” that put identity at the heart of a huge new market for personal data, controlled by the consumer.

What about telecom operators? although many regard them as natural players in the identity game, they are quite behind at the moment, with a few exceptions. In the US, Verizon and AT&T are involved in the industry and launched initial services – Verizon for the healthcare sector (UID service) and AT&T for consumers, focusing on personal cloud services. In Europe, several operators launched in 2011 mobile identity services, mostly focused on mobilizing the national identity card and offering a verified, secure authentication via the mobile device. Such services were launched in Finland by all operators (see example from Elisa) and by Swisscom in Switzerland, joining to earlier services launched by operators in Turkey and the Baltics.

In the background for all this activity are the long-term trends that are dictating better identity – more online commerce, more digital services, switch to smartphones and tablets and more and more usage of personal data to provide better experience and better targeting. All those trends, along with mounting fraud and security risks (Sony…)  are pushing the old service-centric, multiple usernames and passwords system to its end of life – our digital future needs a better solution, and it is  starting to take form.

The death and resurrection of the mobile wallet

There is a lot of commotion lately around the mobile wallet, such as the one Orange UK launched last year and ISIS is about to launch in the US. Many refer to the mobile wallet as the ability to pay with your phone, but this view has two serious flaws. First, why just have payment mechanisms in this new wallet? I would like to have there everything else I have in my wallet: from my driver’s license, through my gym membership and ending with my organ donor card. Second, I don’t want it just to be mobile. What I really want is a digital wallet that I can use whenever I want and wherever I want: on my phone, on my PC or at the store. For this to happen, my wallet needs to be accessed from anywhere. And when you think about it, this is actually my personal data wallet – All my personal information securely stored in one place and at my disposal at all times.

So is that the death of the mobile wallet? on the contrary. We need an easy but also a secure way to access our data wallet, and here the mobile comes into play!

The mobile is already our most important digital device, and the most personal – the one that we carry all the time and has our most important information.That’s why it is the most obvious choice for our digital ID remote control. What does that mean? It means that through the mobile phone we can have a secure access to our digital wallet. Access – because it is the device we always have with us and the first one we notice missing. Secure – that is due to the 2-factor authentication that our phone can provide.

2-factor authentication means that to authenticate ourselves we use not only a secret we know (like a password) but also something we have, such as a smart card or a phone. In order to break into our account, someone has to have both, which is much harder than stealing just a password, which we all know is easy. And the phone does it better than any other device – because it is something we already have. Any other secure token will have to be an additional device to carry around. In addition, inside the phone we already have a SIM card, and that is a element that is already designed to provide us with a high-level of security.

Think about the following scenario: You want to get a parking permit for your neighbourhood. In order to do that you have to prove that you are a resident of that municipality, show that you have a car on your name, and pay £50. Nowadays we would need to either send utility bills + car registration form, and then type in your card details, or worse, go in person to the office with all the necessary paperwork. With the digital wallet, it all becomes more simple. You log into the website with your digital ID, you apply for a permit. Then, your digital data wallet ask for your permission to “show” your digital residence card and digital vehicle registration certificate, both stored in the wallet, to the parking service. You then choose the card you want to pay with, and then approve the info sharing and the payment with punching in a PIN code on your phone. The whole process took two clicks and four digits, and it also much more secure, since no passwords and no credit card details are typed online.

That is the future of our digital transactions – and people are working on it as we speak. Next time I’ll try to review what is actually being done to make this a reality.

So what is this blog about?

Of all aspects of our digital lives, our digital identity is maybe the least talked about. Hi, most of us don’t even what exactly that means (and for you guys I have a number of great resources on the links page). But it is definitely one of the most important problems that are left to be solved in cyberspace.

Some of you might question my statement above – if this is such a big problem then why are most people unaware of it? Well, the answer is that like many other innovations, we think of the current situation as given, a fact of life. So we accept many limitations to our digital life:

– That we need to manage dozens of different passwords, and type in the same personal details over and over again in order to register for online services

– That we can’t open a bank account or a library card online

– That we can’t prove our address or age online, and need to send out utility bills or wait for an activation code to arrive by post

– That we can’t know the real identity of the person who’s selling us a TV on eBay

– and Finally, that our personal data is harvested and used without our consent and not always to our benefit

All those problems can be solved. Actually, many companies, from small start-ups to the likes of IBM and Google, are working on solving them right now. Some say there is an overarching solution, while others focus on a specific area. The more visionary ones don’t just try to solve current problems, but also take us to new places. But for all of them, the key is creating a user-centric digital identity – one identity that we control and use for any digital service.

But any way you look at it, there is a long way to go before this happens. It involves technology, trust, standards and  money. The discussion only started and there are no right answers yet. One of the most important of issues is one of the least developed, and this is the business case for digital identity. As one of those who are entrusted with making that case, I hope I can contribute to the discussion and help progress it.

And – This is my first foray into the blogging sphere, so I’m very open to comments, suggestions and anything that can make this blog more interesting and helpful.

Assaf.