Future of identity - growing demand
21
Future of Identity 1 [email protected] fo Identity Global Context - Growing Demand 1 Sep 16, Tallinn Patrick Curry [email protected]
-
Upload
newsquare -
Category
Government & Nonprofit
-
view
55 -
download
1
Transcript of Future of identity - growing demand
Future of Identity
IdentityGlobal Context - Growing Demand
1 Sep 16, TallinnPatrick Curry
Social Norms• We have social norms
of behaviour built over millennia
• Society runs on trust =Communities
• We act in groups– Individually– Organisationally– Nationally– Internationally
• Disruptive change– Villains– Heroes
2
Biggest problem – Tower of Babel
• We are all affected by the same things
• Laws of physics still the same
• Yet… A gazillion point solutions
• Darwinian outcome certain:– Centralise; or,– Interoperate
• Follow the herd• VHS vs Betamax
3
eIDAS history• European Digital Agenda Key Points 3 and 16 • EU WG to develop an EU Citizen eID specification• DG HOME Expert Group on ID Fraud. Europol reports
ID Fraud top enabler of crime. Council action requested.• Ad hoc eID tech demonstrators leading to STORK• STORK large scale pilot• DG CONNECT project to develop eID interop policy• eIDAS Regulation published. Compliance by Sep 2017.• Comparisons with international standards and
regulations.
4
Legislation• eIDAS. eID Authentication & Digital Signature Regulation
– Citizen eID recognised in all Member States for public purposes• NISD. Network Information Security Directive
– Data breach notification to regulators and EU• GDPR. General Data Protection Regulation
– Pseudonymity – Preventing a person becoming identifiable
• 4th Anti Money Laundering Directive– Customer due diligence checking requirements, reporting suspicious
transactions, maintain records of payments, combat money laundering & terrorist financing activities
– Registers for beneficiary traceability• Payment Services Directive 2 (PSD2)
– Expands use of digital payments and cross-border payment flexibility– Expanded scope. Includes new digital payment services– New security, insurance and due diligence requirements
5
6
Citizen Consumer
Employee - IndustryEmployee - Gov
4 Contexts of Identity
Plus:• Device ID• Organisation ID• Software Authentication• Data Authentication
The Basic Electronic Credential Lifecycle*
Sponsorship Application Initial Verification
Proofing documents
Full Verification RegistrationApprove
?
ProvisioningOrder
credentialData
preparation Data transfer Print credential
Data injection into chip
Enrolment
Validation & Quality check
Secure transport
Customer notification
PIN issuance
Customer receipt
Authenticate User
Authenticate credential
Activate credential
Issuance
Interview
Suspend
Revoke
Use
Manage
Use(See Trust Framework)
Destroy Renew ?
Stop
N
YRestart(point
depends on policy)
* Ignores supporting information management
Governance• Community of trust. Transparency• Shared objectives• Collaborative governance of risk stakeholders• Liability model• Six elements
– Policy Management Authority & Technical Design Authority– Trust Operations– Assurance– Enforcement and trust repair– Company responsibilities– Community & stakeholder management
9
Levels of AssuranceWe need to identify ourselves to others, and vice versa, in a
wide range of situations and particularly for electronic activities, which may require different Levels of Assurance.
1. LoA 4. Extra measures. 3 factor authentication (with second biometric). Strong hardware token. Optional federated Physical Access Control. Used in highly secure situations.
2. LoA 3.. High confidence in identity. Legally robust non-repudiation. 2 Factor Authentication E.g. employee authentication, digital signature, ID based encryption, secure email.
3. LoA 2. Some confidence of Identity. Expect some failures. Financial liability model E.g. credit cards, Know Your Customer.
4. LoA 1. Self assertion. E.g. [email protected].
4 Levels
OfAssurance
Major strategic drivers - national, international, market
• Increasing regulations• Consumer centricity & omnichannel• Card/mobile payments• Global supply chains• Cross-sector interactions• Banking and payments systems• Border controls, migration & refugees
• Risk management– Opportunity– Cybercrime– Compliance– Complexity– Branding & reputation
11
12
Citizen
Consumer
Employee - Gov Employee - Industry
9/11
HSPD 12
FIPS 201 - PIV
FIPS 201 – PIV - Interoperable
ITU-T/ISO24760/29115
Supply chain collaboration
CertiPath/SAFEBioPharma
Kantara InitiativeIdentity Assurance
Framework
Borders
Police
NATO
SESAR
Legal
Energy
Pharma
Aero space
34
34
12
Hardly used = weak business case?
OIXGoogle
Facebook1
1
Credit cards
HACC?NFC??
2
3
23
US NSTIC ?
No federation No federation
Good Federation
13
British Business Federation Authority - [email protected]
13
Potential Gov & Ind CSPsEADS/Cassidian, Citi, Entrust, SAFE/BioPharma, Symantec, Trustis
Early AdoptersCross Certified Orgs:MODNHSNPIA/PoliceDWP+
LoA 2+Brokers
CertiPath Aero/Def
UK PKI Bridge
SAFE-BioPharma
Potential UK CSPs:Citi, EADS, Entrust, Symantec,
(Emerging Bridge)
Level 3+ Identity Federations (PKI) - a UK perspective
Potential UK CSPs:Citi, EADS, Entrust, Symantec, Verizon Business+
Other Potential National Bridges or CAs:USA, Australia, Canada, NZ, NL, BE, FR, DE, IT+, NO, SWE, ESPInterpol, EU, NATO
Any nation could put itself at the centre…
Some EU National e-ID initiativesNation Name Purpose Population LoA Biometrics Features Remarks
Estonia ID E-gov, Societal 1.3 M + 4 Face Auth, Sign, Encrypt
Estonia E-residency E-gov & business
8M target 3 Nil Auth, Sign, Encrypt
10 k today
Belgium .beID Societal 12 M 3 Face Auth, Sign, Encrypt
Germany Personal ausweis
E-gov 80 M + 3/4 Face Auth, Sign, Encrypt
Low adoption of eID
France France Connect
E-gov Starting 2/3? ? ?
UK Verify Limited E-gov 50 M 2 Nil Auth 333 k1.5 uses/year
Austria Personal ausweis
E-gov 10 M 3/4 Face Auth, Sign, Encrypt
NL DigID E-gov 12 M 3 Face Auth, Sign Tax only
Malta E-ID E-gov 400 k 3 Face Auth Voting
Ireland ID card Travel 5M 3 Face Auth Requires passport
Lessons• Top Lesson. Be clear – is the e-ID to benefit the government or the
nation? Legal, benefit and business models are very different.
• Cards for e-Gov have a low adoption & usage rates and little value. People forget where they are and how to use them. Gov unable to achieve major savings and have to maintain manual systems
• Cards for societal use have reasonable adoption and use, but benefits are not significant
• Cards that assist commercial processes (e.g. KYC, AML, company management, contract signing, power of attorney) are highly valued and used.
• Cards that can be used across borders are more valued. (High demand for Estonia e-Residency card). Other nations thinking of following Estonian model.
• Move to mobile will open more opportunities, reduce operating costs and be more secure. Opportunity for the ID to make money.
15
Other National e-ID initiativesNation Name Purpose Population LoA Biometrics Features Remarks
Malaysia My Kad E-Gov, societal, bank, email
30 M 4 Face, finger Auth, sign, encrypt
1st e-ID
NZ RealMe E-Gov, online services
5 M 3 Face, (video) Auth
Japan My Number E-Gov 130 M 3/4 Face, ? Auth, ? Disaster services
Korea (New project)
E-Gov 40 M 3/4 Face, ? Auth, sign, encrypt
Resident Registration Number fraud
Singapore E-IC e-Gov, societal, bank
5 M 3/4 Face, ? Auth, sign, encrypt
Design stage
Nigeria e-ID E-gov, societal 180 M 4 Face, finger Auth, sign, encrypt
Agricultural subsidy fraud
Kenya (new project)
E-Gov 44 M ? Face, finger
India Aadhar Societal 1 bn + 3/4 Face, Iris, retina
Auth, Sign, Encrypt
Largest deployment
US NSTIC Industry-led societal
? 2/3 ? Auth Online only. Pilots
US 18F E-gov 300 M 3/4 Face, finger, ?
Auth, Sign, Encrypt
Design stage
China Starts 2017 E-Gov or societal 1.4 bn 4 Multiple Auth, ?? Counter fraud
Lessons #2• Top lesson. Go to LoA 3 or LoA 4.
• US. Started with Federal & business high assurance PKI. NL followed suit.
• NZ. Focusing on identity proofing and biometrics• Industrial Asian countries are mainly LoA 4, which allows
for high interaction between society and business.– S. Korean Government and industry PKIs are cross-certified (like
NL and EE)– China expanding its PKI. Over 800 Certificate Authorities today– Malaysia PKI for business, links to government– Kenya is likely to expand its MPESA network to support a new e-
ID.
17
National e-ID Choices• Scope
– Nation-born citizens– Naturalised citizens– EU nationals– EEA– Foreign nationals– Refugees
• Age - Children, old persons• Functions
– Authentication, signature, encryption– Proxy, Power of Attorney– Financial, wallet
• Use cases– E-gov, tax, pensions & benefits– Health and patient records– Payments– Transport– Travel & border control
18
Key points• Trade Off
– High LoA: High value, functionality, use cases, interoperability, future proofing, reduced risk. But high cost.
– Low LoA: Limited use, value and future. Can’t interoperate. Not trusted. High risk but cheap. Liability issues.
• Leading nations are basing digital innovation on high assurance e-ID
HMG Office of Government Science report for UK Prime Minister
Published 19 Jan 2016
Two ministers leading in HMG
Industry collaboration
NL and EE participation starting
Identity & Access Management essential
eResidency has huge potential!
• It’s a step ahead of everyone else
• What does it need to do to remain ahead?
20
10 Major Conclusions
1. Innovate – Clear goals. Learn through success & failure. Use case driven - follow the money. First mover advantage. Make eResidency an eID? More functions?
2. Accelerate – Focus, speed and scale. Smart phones and block chains3. Differentiate – cross-border e-IDs support high assurance e-IDs in chains of
trust, leveraging national e-IDs4. Federate – with other high assurance IDs5. Interoperate - data, policy, system interoperability. Re-use. Standards6. Collaborate – 98%+ of transactions involve industry7. Communicate – create a community and executive awareness8. Coordinate – with others9. Mitigate – Collaborative risks. Brand protection10. Regulate – privacy and public safety
21
