Last updated: 
4 months 2 weeks ago
Group Manager
Members of the research and education community within the United Kingdom regularly make use of various types of online services, including web-based e-resources, wireless network access, and cloud-based applications. Many of these services require authentication of a user's identity, and many additionally require the release of attributes relating to that identity for authorisation purposes. Access and Identity management technologies and services aim to fulfil this need for robust authentication and authorisation technologies. Jisc either runs or is heavily involved with many major services offered to the UK R&E community in this space such as eduroam, the UK federation, Moonshot, and the Janet Certificate Service. This group exists for those interested in AIM and trust and identity services to discuss the latest developments, keep track of goings-on, and participate in discussions about what the community needs in this area and what Jisc should be offering. (Note that for eduroam, Moonshot, and the Janet Certificate Service specific discussions, these technologies have their own groups on this site). To learn more about Jisc's AIM services, you can see the slides and video of an overview given at Networkshop42.

Group administrators:

OIX Mobile and Identity - from AQAA to Zapp (via Moshi Monsters)

6 November 2013 at 4:00pm

The first Tuesday of each month can normally find a mixture of commercial, government and other public sector people with an interest in identity management attending Open Identity Exchange / Identity Assurance Programme (OIX/IDAP) meetings. Convened by the Cabinet Office the main focus is to provide an update on the IDAP Alpha projects, but yesterday's was also a joint meeting with EEMA (the European Association for e-identity and security) and had a focus on Mobile and Identity.

Presentations should be available from http://oix-idap.mvine.com/, but highlights included the following:

Dr Rachel O'Connell talked about Attribute Quality Assured Authentication (AQAA) and how it can help with online age verification (slides at wp.me/p34Nmr-dH):

* Age verification is burdensome, has little or no elevation of assurance, has no standards and is open to repudiation.

* Attribute quality assurance is a business enabler, allows granular assurance, is privacy preserving and works with trust frameworks.

* Under the STORK programme, Austria and Iceland have piloted 'Safer Chat' that enables 14-18 year olds to use their e-ID card to enter chat rooms.

* A range of data sources could provide attributes for a similar UK pilot: IDaaS platforms (e.g. Avoco); UK federation IdPs; banks etc.

* NIST has awarded a grant to PRIVO to develop a minors’ trust framework to help online service providers comply with the requirements of the Children's Online Privacy Protection Act (COPPA) - http://www.nist.gov/itl/nstic-091713.cfm.

* AQAA is reaching a tipping point, but still 2 years off...

* Facebook can figure out which family members are related so could allow under 13s on line  with their parents' permission.

* A couple of years ago the UK Council for Child Internet Safety convened meetings of payments providers and others. One solution they came up with was a sub-account idea for parents to give to their kids - Virtual piggy has set up a business for this - http://www.virtualpiggy.com/.

* 20-40% of website registration emails go to spam e.g. Moshi Monsters’ registration process requires a child to enter their parent’s email address. AQAA can remove this barrier.

* Trust elevation? Moshi Monsters need to be compliant with COPPA so is looking at this from a regulatory and a business  point of view.

* Businesses want someone to create this infrastructure for them.

* Commercial models need reusable tokens.

* The average age of first getting a mobile phone is now 7 years old (quote from the audience).

Andy Rudd, Mobile Identity, GSMA presented on 'Unlocking the potential of identity':

* The GSMA is trade body representing the interests of mobile operators worldwide http://www.gsma.com/. They also hosted yesterday's meeting.

* The GSMA is involved in AssureUK - an OIX alpha project to develop a UK commercial trust framework linking attribute providers, such as banks and telcos, with identity providers and relying parties.

* Mobile Identity is one of 6 GSMA strategic programmes (http://www.gsma.com/mobileidentity/) with the aim of ensuring security and interoperability.

* Earlier this year they worked with GfK to conduct research to "provide an integrated view of the UK market with respect to digital / mobile identity". See http://www.gsma.com/mobileidentity/mobile-identity-research-uk-research-summary

* 59% of UK consumers find Mobile Identity services appealing.

* AssureUK has a 70+ page trust framework document at http://www.gsma.com/mobileidentity/assureuk, but you need to be a Work Group member to access it.

* The resources section also has mobile identity examples from Japan, Turkey and Sri Lanka.

Developments in Mobile Payments - Les Blair, Account Director - Public Sector, Vocalink:

* Zapp (zapp.co.uk) is a new brand for mobile payments (to differentiate from Vocalink's core Faster Payments business).

* Zapp is built on a request to pay token. So a plumber, say, can send a request to pay SMS to a client's mobile, which can then be used to pay directly from their bank account.

* The cost will be below the rate for a direct debit and is real time so good for small businesses.

* Zapp will 'radically reduce 1st and 3rd party fraud' as the client/customer doesn't have to hand over bank details or card numbers.

* Big claim is that Zapp will replace debit cards, cash and cheques and possibly credit cards.

Identity from a Mobile Operator's Perspective - Andy Tobin, CTO O2 Money

* The 4 UK mobile operators are cooperating to pilot a secure mobile authentication capability that will work on 99% of handsets.

* They are piloting a data matching and provisioning service.

* The operators are working to create standards for interoperability in the same way they cooperated on SMS.

* Use cases include an SMS sent from a government website as part of a transaction e.g. HMRC wants you to login, enter PIN. Apparently this is strong enough to be legally binding.

* Attribute matching: HMRC could (if you allow) check the details they have match what O2 has.

* Can also use for attribute provisioning e.g. location data.

Ali Rezvan from Verizon described the Internet Living Verification (ILV) Alpha project, which used Facebook to support proof of identity.

* The idea is that your number of Friends, frequency of updates, age of Friends, duration of listings etc. can be used to show that you are a living individual. This is undertaken by http://trulioo.com.

* It also explored whether using a social media login could offer a new route for citizens in the uptake of digital transactions.

* Feedback from testers was mixed. Some people wanted to use social media and others didn't. There was also a mistaken view that using Facebook credentials to login to a government service meant that the government could see your Facebook activity and that your Facebook Friends could see that you've accessed a government service.

* Ali also demonstrated a Verizon 2FA solution that used QR codes, which was very similar to https://tiqr.org/

Finally, Ian Litton of Warwickshire County Council presented the outcomes of the Warwickshire Alpha project. This was the same presentation he gave at #IGIdentity, which I've already described, however he did announce that the White Paper on the project is now available at http://oix.mvine.com/networks/155/portfolio.html.