Words to ponder as we think about the best way to secure our digital persona.
Identifier – A text string we use to uniquely identify ourselves to a relying party, person, government, employer, club or entity we wish to have or need to maintain a relationship with. This group of entities hereafter will referred to as a replying party.
Identity – We each are unique and have attributes
Verification – A process the entity we seek to establish a relationship with uses to determine the truth of the attributes we share. One could argue this is or should be a mutual process. Many call this identity verification or identity proofing.
Registration – When we take these three words identifier, verification and identification and think about the first time we present ourselves to a relying party in the global digital environment. We typically present ourselves through a user interface to the entity we are interested in establishing a relationship with. We register and the relying party creates a record of our existence. They seek to recognize and record our identity.
This process typically requires us to invent or the relying party to present us with a unique identifier and agree to identify ourselves with this unique string, often called a user name, email address, bank account number, social security number, employee id, passport number, drivers license number or payment (card) account number ‘PAN’. The ultimate goal of registration is for the relying party tonassure themselves we are unique and that the attributes we share are linked to our person. They verify our identity.
Today the challenge is to find an efficient, convenient and none intrusive method of Verification.
Authentication – We exist, we can be recognized and are able to present oneself over and over again to the relying party, using our identifier. The challenge is how do we prove or assure our identity to the relying party each time. We need to authenticate ourselves.
Identification – Many confuse the dialogue above with this word. The difference is how we present ourselves or better said how the relying party expects us to present ourselves.
With the wide use of biometrics and many of the identifier we spoke of earlier, our identifier many not simply be some random string. A biometric is personal and linked to our body or actions. This biometric can be converted into an identifier and therefore once accepted as genuine and integrates the act of authentication into recognition of our identity.
Certain identifiers create a level of assurance, because the relying party trusts the attributes it asserts based on who issued that identifier. They are willing to trust in our identity and associated attributes because of the verification done by the isuing party. It a passport, an employee id, bank card or a drivers license. The instrument has characteristic, privileges and attributes linked to the issuing party, not simply attributes associated with the individual.
As we move from a physical world to a digital world. As people seek to use our identity to present themselves as someone they are not. As we seek to separate the various relationships we establish. Requires that we find ways of assuring our privacy while securing our relationships. All this demands we find more secure methods of authentication that are convenient.
In 1991 I had to learn the difference between million dollar transactions and hundred dollar transactions. As I came to explain, when telling my life story, I had to shift my thinking from 100 transactions at a million to 1,000,000 for a hundred. This transition took me from capital markets to payment cards.
Today, I wonder about the future of the ID-1 based payment card? A piece of plastic 3 3/8 x 2 1/8 with rounded corners.
In another blog I spoke of how this ID-1 object became a token responsible to act as the first factor, something you have. Printed, encoded and embossed characteristics were the security features. Today, with EMV as the global standard for payment CARD security; cryptography and the “secure element” replace those physical security with digitally mastered circuitry embedded inside something capable of protecting those secrets cryptography requires. We digitized the payment card. What we now must do is shift our vocabulary to tokens and credentials.
We need to embrace a new way of speaking we need to think about our “Payment Credentials”.
Today, we now tap our phone to pay, we use our phone to browse the internet, we shop & book tickets with apps and we listen to music & watch movies all from this device we apparently use, thousands of times a day. For those of us who remember computers that filled floors, we now are capable of buying more powerful computers, similar in size to those same cards. Think about the Raspberry Pi, a computer almost as small as a card, not quite! Yet!
The embedded secure element integrated inside our payment cards are being integrated into phones, bracelets, rings and things. The question; will they replace the card we are now comfortable with? Yes – maybe? Will we embrace these objects as the new carriers of our payment credentials? Many hope so.
In oder to think about the probability of cards disappearing, one must begin by think about the number of cards now in circulation. In round numbers we can think about 1.2 billion debit and credit cards, 300 million prepaid cards and 300 million retail branded cards. In round numbers, 1.8 billion payment cards. We next must think about our population and how many people now carry cards – 115 million households and 242 million Americans over the age of 16, according to a recent census. We now has a numerator and a set of denominators.
The question then becomes, how many payment cards does an American want to carry and how many payment credentials will an American end up having.
I would argue a debit card and a credit card is all we need to carry in our leather wallet, purse or pockets. Those other payment credentials can easily be accessed from wallets in the cloud or in our digital objects.
Merchants can integrate payment capabilities and focus on factoring their consumer receivables, behind relationships designed to service, thrill and sell. In an App and API enables economy, cards become a burden as the experience becomes the essential component of our lives.
With David Birch We asked the Question. Identity – Authentication – Identification – Authorization and ultimately verification, where are we.
Simple. We have the technology. We have the standards and more are coming. Authenticate, is done, use FIDO.
Identification with Biometrics is illuminatingly possible. Even the one I know how to spoof, Voice, with other factors layered in, does the job very well.
The challenge is Privacy and Confidentiality must be inherent while regulatory practices must be incorporated.
Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference. Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution. ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.
My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.
Created in December of 2011 as I reflected on the emergence of the Cyber Risk
My identity is mine electronic or otherwise
I will be prudent in its use
I understand if I enter into an agreement that you can prove it was me
Then I am responsible
I will carry with me an object that can be kept safe from intrusion and can easily be remotely destroyed
You, those entities human and other that I enter into a relationship with
Can offer me anything I am willing to opt-in to
Using a defined set of cryptographic relationships
I agree that a digital contract can be signed and agreed and has the full force of the law behind it
You will recognize that I am your human equal and will,
Save for acts of God and Nature,
Endeavor to provide quality and service
October 03, 2011
Cyberspace trust: Proving you’re not a dog
A very real discomfort underlies the classic joke: “On the Internet, nobody knows you’re a dog.” How can you prove your own identity and confirm the identity of others during virtual interactions? Every time you reach out to a friend on Gchat, post on a classmate’s Facebook wall, or send money to a colleague via PayPal, you are relying on a key assumption: that the person you’re reaching out to behind that Gmail address, Facebook profile, or PayPal screen name is who they say they are. Without this baseline confidence, online interactions and commerce would be paralyzed.
- The next step is to merge the identity sought by everyone and easily relegated to the Banks to manage. Facebook and GMail offer an option if their KYC can be improved. With face to face meeting it is possible to truly prove identity, requiring a branch network.
- Transaction processing is legacy in the developed world while the emerging economies offer an opportunity to build new. Existing standards and processes need to be respected as they transform to absorb the new information attachments and Internet offers we now need to cope with.
- The Wallet forms the basic unit to create a trusted network employing smart cards, trusted computing, persistent computing and inteligence to enable the consumer experience.
- Privacy and integrity of that trust is essential to the system
- The individual is key
- Respect rights and obligations
INCREASING EMV CARD AND TERMINAL DEPLOYMENTS CONFIRM EMV AS GLOBAL PAYMENT STANDARD
06 October 2010: As of 1 September 2010, over one billion EMV®* cards and 15.4 million EMV terminals were active globally. These are the latest EMV deployment figures reported by EMVCo, the EMV standards body collectively owned by American Express, JCB, MasterCard and Visa.
Interesting that as soon as you identify that I should be able to provide my identity to anyone anywhere you state that a national government can offer such a scheme. That is counter intuitive and fraught with the issue of achieving global standards of identification, given the bureaucracy of most national governments.
Yes, ICAO was able to agree on a template and specification for the e-passport. Fortunately they had a template and various agreements and treaties to justify the work. But when we start out with the basic premise that my identity is how I wish to project myself; we immediately move into a world of nuance with built in mechanisms to embrace and resist change. That being said Homo sapiens’ have a perchance to employ tools we morph as society and our world evolves.
Picking the right band of stakeholders to assure universality requires that at some point people abandon the idea that there is Profit in defining how we will digitally represent a person’s identity. Instead because the consumer/citizen wishes to project or required to provide their identity; we leave it to those seeking to receive the information to find the profit in knowing something about me.
Having been raised in America I am drawn to the words in our declaration of independence that give us the right to life, liberty and the pursuit of happiness. Behind these words I believe I also have the right to my privacy and do not want to learn that morphing my identity into a digital form puts my identity at risk. The citizen/consumer must be able to decide when and what information someone is able to scan.
All of this tempers my thinking about who should be engaged in defining the global standard for digital identity.
The two-way street
I could not say it better myself. Like my business card, a police persons badge or a company id card. We present these to each other to create trust between various parties and provide a degree of certainty that:
· I am who I say I am
· This is how you can locate and communication with me
· Here is proof that I have the following rights and capabilities
Very well said the exchange of information about my identity must be as easy as handing you my business card. Everything after that is about the context of the transaction and will parallel the discussion and negotiations between the parties.
My only addition to the supposition that the phone is the right gadget is the reality that we are talking about something that the citizen must be able to carry most anywhere. So it must be the one object we always carry. Some would argue this is the mobile phone; I would suggest that we not forget the more primitive device the purse or wallet. Maybe as we think of identity we must also think of ergonomists and think about merging the phone into the wallet not the wallet into the phone. Leather is eco-friendly warm and comfortable to the touch. Metal or plastic tends to be brittle and cold.
The next thought in respect to the gadget is it becomes the device I trust and will protect at almost any cost. Should I worry about how trustworthy your device is? All I want from you is the information you wish to share and any certificates others provide you that allow me to authenticate your rights and capabilities. My trusted gadget is what I use to share information and certificates and what helps me absorb and as appropriate verify information and certificates others offer to me.
Yes my information is mine and what I offer to others is my choice.
I am not convinced of the need for a central register. Yes there is a need for third parties to attest to the citizen’s identity that others can trust and in lies the complexity of introducing a digital solution. In fact what the citizen needs is a device they trust. A device we trust, carries the information and certificates that third parties, who the counterparty trusts, capable of exchanging the appropriate digital data electronically. In order to achieve this goal we must develop and support a cascade of standards, regulations, contracts and relationships that enable global interoperability thus assuring a meaningful means of exchanging our digital identity.
Before we go about defining the techniques that should be employed, I think we must first establish base principles. Key must be the idea that there is no centralized register. Instead those parties we as consumers are willing to trust and wish to position themselves as trusted third parties can build registries, recording those individuals they are willing to authenticate. The citizen may wish to contract with an entity to provide support for the trusted gadget and the various relationships it supports.
The author’s position on protecting privacy and meeting the needs of law enforcement is laudable yet scary. I’d rather the protection offered by a distributed environment that still is capable of responding to directed queries from law enforcement and not blanket access to everything I or others have collected about me.
Make my gadget the gate keeper; allow service providers and those parties wanting the security of digital identity the ability through standards to build affordable infrastructure to read, with my permission, data stored in my gadget. Avoid the complexity of establishing a global resister. What we need to define is the architecture for a gadget that is capable of carrying and supporting a myriad of digital relationships with their linked need to assure proper identification. We then need to agree on a common set of information that all sectors share. Maybe the v-card is the base.
For more information I offer the following background and a concept for consideration.