Stephen Wilson in Lockstep

Are banks ready for the new identity ecosystem?

26 Jan, 2011 00:32

The National Strategy for Trusted Identities in Cyberspace (NSTIC) released by the Whitehouse last month, is a proposal for a new “ecosystem” of diverse Internet IDs. It is the latest incarnation of Federated Identity, where identification established with one service provider can be re-used with other services.

In the words of Whitehouse cyber security chief Howard Schmidt: “Imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords”.

NSTIC adopts the now orthodox federated identity idea of “trust levels” or “Levels of Assurance” (LOA). The US National Institute of Standards and Technology has settled on a four point LOA standard. The idea is that different transactions carry different risks and need to be matched to the right LOA: Low, Medium, High and Very High (or words to that effect). And if different business domains can settle on a common language for describing risk and trust, then their identities should be able to interoperate. It’s intuitively attractive, but in practice difficult to apply, especially in banking, where there are strict regulated protocols for identifying customers.

As bankers contemplate federated identity and the opportunities brought about by the voluntary NSTIC, I have some questions:

How do banks feel about taking on the new role of “Identity Provider” in the identity ecosystem? Is it a commercial opportunity? Or maybe a strategic social media opportunity to facilitate their customers' participation in cyber communities?
How do banks feel about accepting identification of new customers performed by other banks? By Paypal? By government agencies? By universities and phone companies? By Facebook?
What are the regulatory implications of moving to the new language of “Levels of Assurance” when identifying customers? How will KYC rules and regulations need to be adapted?
How will banks manage the risks arising when their customers use bank-issued “identities” to transact in other settings (retail, telecoms, e-government, e-health) over which the bank has no control?
If a bank is to sanction the use of the “identities” it issues (e.g. OTPs, smartcards, apps) in other settings, what changes will be needed to its customer agreements?

Comments

Added: 26 January, 2011 - 09:28 | Antti Larvala - CAL360 Degrees - Brussels

Similar process but a bit limited shared user experience has been used in Nordic countries with great success. For example using my own bank id and one time challenged password I can log in to my online bank, but also use my credentials when filing taxes or ordering new service from mobile operator or sign a contract. Over 15 years this bank based online identification has proven that end users like to repeat same identification method as they use when banking online. Only one userID and card based one time challenged password.

About one month ago mobile operators launched their verified SIM card based identification method, which in reality can be used also for banking. The only problem is if banks are ready to give up their role as the trusted party of identifier.

Big service providers like tax authority or online shops are already letting third party to verify their customers with one single userID, instead of creating customers again new userID and password solution.

To me only obvious road would be one userID/ challenged password system, but I could select who is my trusted partner who says that I am the person I claim to be. I don't like to carry several devices, cards or passwords on my pockets/ head to identify online when doing business online.

0 thumb ups! (Log in to thumb up)

Added: 31 January, 2011 - 22:33 | Stephen Wilson - Lockstep Group - Sydney

Thanks Antti. I hope others join the dialogue too, for the questions I posed to bankers are mission critical.

I have some awareness of the BankID system(s). You wrote: "using my own bank id and one time password I can log in to my online bank, but also use my credentials when filing taxes or ordering new service from mobile operator or sign a contract". Do you know what contractual changes and/or new laws were needed to support this interoperability. As things stand in Australia and elsewhere, bank customers are expressly not allowed to use a bank-issued OTP for anything other than banking. To federate must require new arrangements. The scope and cost of these arrangements are not usually considered when federated identity projects commence.

"About one month ago mobile operators launched their verified SIM card based identification method, which in reality can be used also for banking. The only problem is if banks are ready to give up their role as the trusted party of identifier".

To be fair on the banks, their problem is more subtle than not giving up their role. The real problem is to do with risk management and possibly prudential regulations. The big risk in federation I think is that a non-bank ID used in banking might not provide exactly the same risk mitigation as traditional bank issued IDs, sicne the bank loses control over the identification process. This means that either (a) banks need to have some say in how the non-bank IDs are issued, or (b) the banks need to change their internal rules to acept a new form of ID, or both. There also needs to be no regulatory barriers to new identification protocols being followed to establish ID in banking. In Australia I think this would definitely require changes to prudential regulations. For one thing, words like "Levels of Assurance" (as per NSTIC) don't appear in our banking rules at present.

"Big service providers like tax authority or online shops are already letting third party to verify their customers with one single userID, instead of creating customers again new userID and password solution"

What sort of shops are doing this? What arrangements do they have in place with the identity issuers (e.g. telcos) to cover liability in the event that someone with a fake ID rips off the shop?

Cheers, Stephen.

0 thumb ups! (Log in to thumb up)

Added: 01 February, 2011 - 08:08 | Antti Larvala - CAL360 Degrees - Brussels

Stephen,

As far as I know, the change came from goverment side after total failure of state wide e-id- card. Goverment spent over 40 M€ and got 25 000 end users to use their ID/ card reader system. Now goverment is sitting top of system and acting as controller of different identification systems. If company wants to issue new ID-system, they have to clarify how they operate and get mandate from State issuing organization. There were changes turned to be law 2009 and rewritten again 2010 when mobile authentication came in force.

When mobile operators first started their common project nearly 10 years ago, one mobile ID-system, their target was to offer bank-ID system. But recently their target has changed quite a lot. Now it is other third party solutions, like ordering new service from store.

There are huge need of online identification use cases. For example big mobile operators use bank ID system when new customer is ordering new connection. Customer fills out application, is identified with bank-ID or mobile-ID and then he gets new SIM card. What comes to security, all the banks and operators act under umbrella of State Control agency and are liable of their services. If merchant for example bends rules of identification, then bank can take their services away. Other cases third party identificators are in responsible of checking that their system works the way it suppose to work.

My own company is first to act as Online Identification aggeregator, who has all the identification methods on one platform. We have customers like operators, call centers etc. With our system for example company can upload all the documents to our system and invite their customer to sign a document. After document is signed, customer gets all the documents to his email as attachment. We have also online web form, where all web orders can be signed with several ID systems. This is about same way as online payments are done when there is more option as credit card.