For Finextra's free daily newsletter, breaking news and flashes and weekly job board.
Similar process but a bit limited shared user experience has been used in Nordic countries with great success. For example using my own bank id and one time challenged password I can log in to my online bank, but also use my credentials when filing taxes
or ordering new service from mobile operator or sign a contract. Over 15 years this bank based online identification has proven that end users like to repeat same identification method as they use when banking online. Only one userID and card based one time
About one month ago mobile operators launched their
verified SIM card based identification method, which in reality can be used also for banking. The only problem is if banks are ready to give up their role as the trusted party of identifier.
Big service providers like tax authority or online shops are already letting third party to verify their customers with one single userID, instead of creating customers again new userID and password solution.
To me only obvious road would be one userID/ challenged password system, but I could select who is my trusted partner who says that I am the person I claim to be. I don't like to carry several devices, cards or passwords on my pockets/ head to identify online
when doing business online.
Thanks Antti. I hope others join the dialogue too, for the questions I posed to bankers are mission critical.
I have some awareness of the BankID system(s). You wrote: "using my own bank id and one time password I can log in to my online bank, but also use my credentials when filing taxes or ordering new service from mobile operator or sign a contract".
Do you know what contractual changes and/or new laws were needed to support this interoperability. As things stand in Australia and elsewhere, bank customers are expressly not allowed to use a bank-issued OTP for anything other than banking. To federate
must require new arrangements. The scope and cost of these arrangements are not usually considered when federated identity projects commence.
"About one month ago mobile operators launched their
verified SIM card based identification method, which in reality can be used also for banking. The only problem is if banks are ready to give up their role as the trusted party of identifier".
To be fair on the banks, their problem is more subtle than not giving up their role. The real problem is to do with risk management and possibly prudential regulations. The big risk in federation I think is that a non-bank ID used in banking might not provide
exactly the same risk mitigation as traditional bank issued IDs, sicne the bank loses control over the identification process. This means that either (a) banks need to have some say in how the non-bank IDs are issued, or (b) the banks need to change their
internal rules to acept a new form of ID, or both. There also needs to be no regulatory barriers to new identification protocols being followed to establish ID in banking. In Australia I think this would definitely require changes to prudential regulations.
For one thing, words like "Levels of Assurance" (as per NSTIC) don't appear in our banking rules at present.
"Big service providers like tax authority or online shops are already letting third party to verify their customers with one single userID, instead of creating customers again new userID and password solution"
What sort of shops are doing this? What arrangements do they have in place with the identity issuers (e.g. telcos) to cover liability in the event that someone with a fake ID rips off the shop?
As far as I know, the change came from goverment side after total failure of state wide e-id- card. Goverment spent over 40 M€ and got 25 000 end users to use their ID/ card reader system. Now goverment is sitting top of system and acting as controller of
different identification systems. If company wants to issue new ID-system, they have to clarify how they operate and get mandate from State issuing organization. There were changes turned to be law 2009 and rewritten again 2010 when mobile authentication came
When mobile operators first started their common project nearly 10 years ago, one mobile ID-system, their target was to offer bank-ID system. But recently their target has changed quite a lot. Now it is other third party solutions, like ordering new service
There are huge need of online identification use cases. For example big mobile operators use bank ID system when new customer is ordering new connection. Customer fills out application, is identified with bank-ID or mobile-ID and then he gets new SIM card.
What comes to security, all the banks and operators act under umbrella of State Control agency and are liable of their services. If merchant for example bends rules of identification, then bank can take their services away. Other cases third party identificators
are in responsible of checking that their system works the way it suppose to work.
My own company is first to act as Online Identification aggeregator, who has all the identification methods on one platform. We have customers like operators, call centers etc. With our system for example company can upload all the documents to our system
and invite their customer to sign a document. After document is signed, customer gets all the documents to his email as attachment. We have also online web form, where all web orders can be signed with several ID systems. This is about same way as online payments
are done when there is more option as credit card.
24 Apr 2008