A Finextra member 26 January, 2011, 09:28 0 likes

Similar process but a bit limited shared user experience has been used in Nordic countries with great success. For example using my own bank id and one time  challenged password I can log in to my online bank, but also use my credentials when filing taxes or ordering new service from mobile operator or sign a contract. Over 15 years this bank based online identification has proven that end users like to repeat same identification method as they use when banking online. Only one userID and card based one time challenged password.

About one month ago mobile operators launched their verified SIM card based identification method, which in reality can be used also for banking. The only problem is if banks are ready to give up their role as the trusted party of identifier.

Big service providers like tax authority or online shops are already letting third party to verify their customers with one single userID, instead of creating customers again new userID and password solution.

To me only obvious road would be one userID/ challenged password system, but I could select who is my trusted partner who says that I am the person I claim to be. I don't like to carry several devices, cards or passwords on my pockets/ head to identify online when doing business online.

Stephen Wilson - Lockstep Consulting - Sydney 31 January, 2011, 22:33 0 likes

Thanks Antti. I hope others join the dialogue too, for the questions I posed to bankers are mission critical.

I have some awareness of the BankID system(s).  You wrote: "using my own bank id and one time password I can log in to my online bank, but also use my credentials when filing taxes or ordering new service from mobile operator or sign a contract".  Do you know what contractual changes and/or new laws were needed to support this interoperability.  As things stand in Australia and elsewhere, bank customers are expressly not allowed to use a bank-issued OTP for anything other than banking.  To federate must require new arrangements.  The scope and cost of these arrangements are not usually considered when federated identity projects commence.

"About one month ago mobile operators launched their verified SIM card based identification method, which in reality can be used also for banking. The only problem is if banks are ready to give up their role as the trusted party of identifier".

To be fair on the banks, their problem is more subtle than not giving up their role.  The real problem is to do with risk management and possibly prudential regulations. The big risk in federation I think is that a non-bank ID used in banking might not provide exactly the same risk mitigation as traditional bank issued IDs, sicne the bank loses control over the identification process.  This means that either (a) banks need to have some say in how the non-bank IDs are issued, or (b) the banks need to change their internal rules to acept a new form of ID, or both.  There also needs to be no regulatory barriers to new identification protocols being followed to establish ID in banking.  In Australia I think this would definitely require changes to prudential regulations. For one thing, words like "Levels of Assurance" (as per NSTIC) don't appear in our banking rules at present.

"Big service providers like tax authority or online shops are already letting third party to verify their customers with one single userID, instead of creating customers again new userID and password solution"

What sort of shops are doing this?  What arrangements do they have in place with the identity issuers (e.g. telcos) to cover liability in the event that someone with a fake ID rips off the shop?

Cheers, Stephen.

A Finextra member 01 February, 2011, 08:08 0 likes

Stephen,

As far as I know, the change came from goverment side after total failure of state wide e-id- card. Goverment spent over 40 M€ and got 25 000 end users to use their ID/ card reader system. Now goverment is sitting top of system and acting as controller of different identification systems. If company wants to issue new ID-system, they have to clarify how they operate and get mandate from State issuing organization. There were changes turned to be law 2009 and rewritten again 2010 when mobile authentication came in force.

When mobile operators first started their common project nearly 10 years ago,  one mobile ID-system, their target was to offer bank-ID system. But recently their target has changed quite a lot. Now it is other third party solutions, like ordering new service from store.

There are huge need of online identification use cases. For example big mobile operators use bank ID system when new customer is ordering new connection. Customer fills out application, is identified with bank-ID or mobile-ID and then he gets new SIM card. What comes to security, all the banks and operators act under umbrella of State Control agency and are liable of their services. If merchant for example bends rules of identification, then bank can take their services away. Other cases third party identificators are in responsible of checking that their system works the way it suppose to work.

My own company is first to act as Online Identification aggeregator, who has all the identification methods on one platform. We have customers like operators, call centers etc. With our system for example company can upload all the documents to our system and invite their customer to sign a document. After document is signed, customer gets all the documents to his email as attachment. We have also online web form, where all web orders can be signed with several ID systems. This is about same way as online payments are done when there is more option as credit card.