2012 – the year in which user-centric ID began kicking!

The year ending today was a major milestone for digital identity. In May, I outlined a few major developments that brought digital identity to the tech mainstream. However, in retrospect there has been another important trend that will help this market take shape in 2013. That trend is related to a fundamental pre-requisite for the digital identity ecosystem, and one of the most important problems it is trying to solve: the convenience of creating and using your identity online.

In this space massive steps have been taken by the internet giants this year, namely Facebook, Google and Amazon. Facebook connect is now being deployed in 10,000 websites every day, which brings it to more than 10 million sites in total. Industry experts estimate that the average Facebook user is logging into 5-15 other services with their Facebook ID. Sites like Spotify even mandate logging in with Facebook, therefore enabling social functions automatically while outsourcing credentials management completely. Google has made a similar step in its own domain: Google users can now log-in with the same ID to more than 20 Google services, on any device, and enjoy the advantages of sharing data between those services. Amazon is taking the combined approach: you can now check-out with your Amazon ID at other retail websites that offer the service, but you can also log into multiple Amazon services with one ID, including Lovefilm for example.

These steps are fundamental in changing customer behaviour and evolving the need for user-centric identity. Users are beginning to realise the benefits of a federated, user-centric identity, and will want more. It is great not having to remember my youtube or tripadvisor passwords, so why should I keep on remembering those of my gas provider, camera retailer and tax website?  It will also become a necessity for all those online services that are competing with the giants – they will have to provide a similar user experience in order to continue and attract users and shoppers.  Although Google and Facebook are important in advancing the ecosystem, they are not necessarily the ones to solve the problem when it comes to retail, financial services and government. But the need is increasingly out there.

The opportunity for future identity providers is to take this a step further and create a truly user-centric identity, independent of any company’s own services. I believe we are about to see a few of those next year, which will be another crucial year for digital identity – we will start seeing other organizations, such as telcos and financial service providers (did anyone say PayPal?) coming into this space, and together with the internet players turning it into a mass market service. An important step towards this was made with the launch of the mIdentity program at the GSMA, which signals that mobile operators are beginning to understand the importance of this market to their future. 2013 will therefore be a seeding year for identity services, with initial launches in several countries is Europe (more details on those in following posts). With a good start next year, 2014-2015 will hopefully be the mass adoption years.

Happy new year!

The future face of trust

One of the major issues the digital identity community is trying to solve is trust – how can you trust someone with an important online transaction when you don’t see her face or any identifying document.

The immediate solution is to import the trust we have in the physical world into the digital. When you are presented with a government-issued photo ID you are usually comfortable with a person’s identity. And indeed, since early internet times we have been asked to come in for a face-to-face authentication session before being allowed to access our online bank account, and asked to fax and scan different proofs for out identity.

Envisioning the future digital identity ecosystem, most people still see that as the way to achieve trust in a person’s identity, just more efficiently: Your IDP (identity provider) will verify your identity once, along with attributes such as age and address. After that, for any online transaction your counterpart (either a service or an individual) could rely on the IDP’s verification instead of conducting their own. Such a system is already in place in the Nordics – BankID is an inter-bank scheme through which any online service can use banks ID verification online, with the help of a code-table or a smart card, and lately a mobile phone. In the UK, the Post Office plans to offer verification services to future IDPs through its branch network.

There are also start-ups that are trying to find smarter ways, that will not require people to get into a branch to get identified. Miicard from the UK is using your existing bank credentials to verify your identity. When signing up for a Miicard identity, you can connect your bank account and the service will verify that your personal details are correct. This is a way to “piggy-back” on reliable  banking verification methods even when the banks themselves are not providing identity services.

But the digital space allows for new forms of trust that are not possible in the physical world. Trust in a person’s identity is important, but it doesn’t mean that the person is trustworthy. But think about this – what if you could also see at the same time that he has 5 recommendations on LinkedIn, 20 enthusiastic reviews as a host at AirBNB and 50 positive reviews as an eBay seller? or maybe aggregate all of them into one “reputation index” you would see as part of their identity? that could be quite reassuring.  There are people that have already recognised this future and are working to make it a reality. One of them is Rachel Botsman, and you can watch her fascinating TED talk on the subject here.

This is exactly what excites me about this field – digital identity will enable us to do much more than replicate the physical world. A trustworthy ecosystem will lead to new ways of integrating personal data to increase efficiency and create new services. However, in order to make it a reality  we need to take it step by step. A secure, easy-to-use digital version of our ID card is the first step and “reputation index” is the second if we are to drive mass adoption for a new way of transacting online.

Just give it up – websites shouldn’t be managing passwords!

The last month might have been a stepping stone towards the end of internet identity as we know it today. In just a few weeks we saw passwords hacked from Linkedin, Yahoo, tech news website Techradar, dating site eHarmony, as well as other popular sites such as AndroidForums and Last.fm. Millions of passwords were compromised, and the real problem is that the same passwords are used for our email, facebook and Amazon.

A lot have been written on what can be done to solve this, and three approaches were prominent. The first is the old “blame the users” approach. Users use passwords that are easy to break, and even worse, they use the same easy-to-break password in multiple websites. The moment people will stop doing that, the problem will be not be as bad. After all, hackers don’t break into Last.fm because they want to listen to music. This is all true, but things will have to get much worse for people to change their habits and impose on themselves a complex array of different, hard to break, passwords. It’s true that there are services such as 1password and Lastpass that can help you with that (I use it myself), but they don’t work on all devices.

The second approach is to demand better security from websites. It is true that many online services that store passwords don’t do it securely enough, and open the door for hackers. There are probably improvements to be made, but it is unlikely that every internet forum will reach the necessary security level.

The third, more forward looking approach, is seeking to replace passwords with better authentication means. As you could see this week in the Washington Post, these methods are starting to mature. From tokens to biometrics to facial recognition, there are better ways to authenticate in a way hackers find difficult to break. Putting aside possible faults (e.g. a simple photo can gain you access with some facial recognition apps), these ideas are good, but they are only part of the necessary evolution of internet identity.

What is really happening is that identity becomes too complex to be managed independently by each website. The proliferation of user accounts, mobile devices and security threats makes the current state unsustainable, for both users and services. Digital identity must therefore go in the way of the digital payments. No online service will consider handling payments on its own, without a payment service provider – It’s just too complicated and insecure. The same applies for identity – a few years from now no online service will think of handling identities without using identity providers. These providers will ensure both security and ease of sign-up/sign-in for the service, as well as convenient, secure identity management  for the user. They will also be able to develop and integrate the right authentication methods, be it mobile PINs, biometric or any other.

This is not a futuristic vision – In the US and the UK there is work in progress to bring this new identity ecosystem to life. Organizations such as the OIX and Kantara initiative are working to create the rules according to which identity providers will operate. It’s a new and exciting space, that aims to make our digital transactions easier and more secure.

What about mobile ID

In the last few years there have been few mobile identity services launched by mobile operators. The pioneers are the Scandinavian operators and the Turkish operator Turkcell, but similar services exist in Estonia, Latvia and Switzerland.

What do I mean by mobile ID?

Well, it is basically an “identity card” on your phone, which you can “present” to an online service through typing in a PIN code on the phone. The application on the SIM then verifies the user’s identity for the online service. A simple implementation of the service can be seen here.

In order to obtain this digital ID card, you need to have a compatible SIM-card with the necessary application. Then, you would need to register. This is usually done face-to-face, where the actual identity is verified before the SIM-card is loaded with the mobile ID and a pin code is provided. From this point on the mobile ID can be used with any compatible service. Currently, those are usually government and financial services.

The benefits of the service are huge – First, this is a way to identify users once for multiple services, which saves time, hassle and costs  for customers and service providers: the lengthy face-to-face process is only done once. Second, it’s a way to do many more sensitive transactions online: from opening a bank account to applying for welfare benefits, from signing major contracts to voting. And third, it increases security significantly – the use of the phone enables 2-factor authentication and the SIM-based PKI encryption is very strong. This is a level of security that is only achievable with Physical hardware token, which hurt customer experience considerably and not always practical to use.

So why is the success of those services so mild? Turkcell, the first operator to launch this kind of service in 2007, had about 80,000 users at the end of 2010, out of   more than 33 million customers. Adoption in Scandinavia and the Baltic is also in the tens of thousands. There are several explenations, but they all come down to onw: They are not user-centric.

When engaging in online services, people care mostly about convenience. Online security is also important, but not enough – we all know this since we use the same easy-to-remember password for many accounts. All the services launched aren’t focused on improving user experience online, but on providing an extra layer of security, which does not appeal to customers.Its especially true if in order to get it you to go into the operator’s store to register, and in some cases even pay for the service.

The solution is, as always, to focus on the customer. Operators need to think how can they improve the online identification experience, and only later to add their security features to the mix. This might mean that starting from simple authentication mechanisms, such as apps, and only later advance to complex SIM-based processes. The best way to to this is to engage with the rest of the digital identity community that tries to solves these problems globally (see earlier post), and add the MNO assets, the mobile device and the SIM to it, and not to treat it as a stand-alone service. When customers enjoy a better online experience, the security features that accompany it will come more naturally. As in many other areas, mobile operators need to start with the digital customer, and partner with those who know how to solve her problems, only the combination of that with mobile assets will produce a winning solution.

So why talk about identity now?

User-centric identity is not a new concept. I met people that have been in this space for over 10 years, and certainly in the last 5 years there has been a lot of activity in this space, especially around developing new standards for identity. But all this time digital identity remained in the domain of a small community of specialists and evangelists.

But in the last year a few major developments took place, and in my view it represent a shift to the mainstream. First, the internet community started consolidating around a small number of standards that will enable interoperability – companies such as Google, Microsoft, Yahoo, Paypal and Verizon put their weight behind the core standards of the future identity ecosystem, and at the end of 2011 came up with “Open ID connect“, the standard that will hopefully make it all much easier.

And this activity is not limited to standards. Most of us already use the most successful identity provider so far – facebook. With “facebook connect”, you can now login to thousands of websites. Google, in the meantime, consolidated their users’ identity across all their (and others’) services, in a way that enables new uses of our personal data. Paypal, at the end of last year, launched the first identity service aimed at E-commerce services, “PayPal Access“.

Second, governments understood that the issue of trust in online identities is crucial, for both public service as well as the market in general. Therefore, the US government  published the “National Strategy for Trusted Identities in Cyberspace“, and the UK put into motion its own “ID Assurance” program. Their objective is to create a market of identity providers that will cater for both government digital services as well as the private sector. In concurrence with this, the World Economic Forum started a working group titled “Rethinking Personal Data” that put identity at the heart of a huge new market for personal data, controlled by the consumer.

What about telecom operators? although many regard them as natural players in the identity game, they are quite behind at the moment, with a few exceptions. In the US, Verizon and AT&T are involved in the industry and launched initial services – Verizon for the healthcare sector (UID service) and AT&T for consumers, focusing on personal cloud services. In Europe, several operators launched in 2011 mobile identity services, mostly focused on mobilizing the national identity card and offering a verified, secure authentication via the mobile device. Such services were launched in Finland by all operators (see example from Elisa) and by Swisscom in Switzerland, joining to earlier services launched by operators in Turkey and the Baltics.

In the background for all this activity are the long-term trends that are dictating better identity – more online commerce, more digital services, switch to smartphones and tablets and more and more usage of personal data to provide better experience and better targeting. All those trends, along with mounting fraud and security risks (Sony…)  are pushing the old service-centric, multiple usernames and passwords system to its end of life – our digital future needs a better solution, and it is  starting to take form.

The death and resurrection of the mobile wallet

There is a lot of commotion lately around the mobile wallet, such as the one Orange UK launched last year and ISIS is about to launch in the US. Many refer to the mobile wallet as the ability to pay with your phone, but this view has two serious flaws. First, why just have payment mechanisms in this new wallet? I would like to have there everything else I have in my wallet: from my driver’s license, through my gym membership and ending with my organ donor card. Second, I don’t want it just to be mobile. What I really want is a digital wallet that I can use whenever I want and wherever I want: on my phone, on my PC or at the store. For this to happen, my wallet needs to be accessed from anywhere. And when you think about it, this is actually my personal data wallet – All my personal information securely stored in one place and at my disposal at all times.

So is that the death of the mobile wallet? on the contrary. We need an easy but also a secure way to access our data wallet, and here the mobile comes into play!

The mobile is already our most important digital device, and the most personal – the one that we carry all the time and has our most important information.That’s why it is the most obvious choice for our digital ID remote control. What does that mean? It means that through the mobile phone we can have a secure access to our digital wallet. Access – because it is the device we always have with us and the first one we notice missing. Secure – that is due to the 2-factor authentication that our phone can provide.

2-factor authentication means that to authenticate ourselves we use not only a secret we know (like a password) but also something we have, such as a smart card or a phone. In order to break into our account, someone has to have both, which is much harder than stealing just a password, which we all know is easy. And the phone does it better than any other device – because it is something we already have. Any other secure token will have to be an additional device to carry around. In addition, inside the phone we already have a SIM card, and that is a element that is already designed to provide us with a high-level of security.

Think about the following scenario: You want to get a parking permit for your neighbourhood. In order to do that you have to prove that you are a resident of that municipality, show that you have a car on your name, and pay £50. Nowadays we would need to either send utility bills + car registration form, and then type in your card details, or worse, go in person to the office with all the necessary paperwork. With the digital wallet, it all becomes more simple. You log into the website with your digital ID, you apply for a permit. Then, your digital data wallet ask for your permission to “show” your digital residence card and digital vehicle registration certificate, both stored in the wallet, to the parking service. You then choose the card you want to pay with, and then approve the info sharing and the payment with punching in a PIN code on your phone. The whole process took two clicks and four digits, and it also much more secure, since no passwords and no credit card details are typed online.

That is the future of our digital transactions – and people are working on it as we speak. Next time I’ll try to review what is actually being done to make this a reality.

So what is this blog about?

Of all aspects of our digital lives, our digital identity is maybe the least talked about. Hi, most of us don’t even what exactly that means (and for you guys I have a number of great resources on the links page). But it is definitely one of the most important problems that are left to be solved in cyberspace.

Some of you might question my statement above – if this is such a big problem then why are most people unaware of it? Well, the answer is that like many other innovations, we think of the current situation as given, a fact of life. So we accept many limitations to our digital life:

– That we need to manage dozens of different passwords, and type in the same personal details over and over again in order to register for online services

– That we can’t open a bank account or a library card online

– That we can’t prove our address or age online, and need to send out utility bills or wait for an activation code to arrive by post

– That we can’t know the real identity of the person who’s selling us a TV on eBay

– and Finally, that our personal data is harvested and used without our consent and not always to our benefit

All those problems can be solved. Actually, many companies, from small start-ups to the likes of IBM and Google, are working on solving them right now. Some say there is an overarching solution, while others focus on a specific area. The more visionary ones don’t just try to solve current problems, but also take us to new places. But for all of them, the key is creating a user-centric digital identity – one identity that we control and use for any digital service.

But any way you look at it, there is a long way to go before this happens. It involves technology, trust, standards and  money. The discussion only started and there are no right answers yet. One of the most important of issues is one of the least developed, and this is the business case for digital identity. As one of those who are entrusted with making that case, I hope I can contribute to the discussion and help progress it.

And – This is my first foray into the blogging sphere, so I’m very open to comments, suggestions and anything that can make this blog more interesting and helpful.

Assaf.