Access and Identity Management (AIM)

Last updated: 
2 months 4 weeks ago
Group Manager
Members of the research and education community within the United Kingdom regularly make use of various types of online services, including web-based e-resources, wireless network access, and cloud-based applications. Many of these services require authentication of a user's identity, and many additionally require the release of attributes relating to that identity for authorisation purposes. Access and Identity management technologies and services aim to fulfil this need for robust authentication and authorisation technologies. Jisc either runs or is heavily involved with many major services offered to the UK R&E community in this space such as eduroam, the UK federation, Moonshot, and the Janet Certificate Service. This group exists for those interested in AIM and trust and identity services to discuss the latest developments, keep track of goings-on, and participate in discussions about what the community needs in this area and what Jisc should be offering. (Note that for eduroam, Moonshot, and the Janet Certificate Service specific discussions, these technologies have their own groups on this site). To learn more about Jisc's AIM services, you can see the slides and video of an overview given at Networkshop42.
Log in to request membershipHide group description

Group administrators:

Recent members:

OIX September – smart cards, trust registries, your data for pizza and 1st world problems

9 September 2013 at 7:42am

Yesterday I had an interesting afternoon at LSE for the September OIX meeting. This is the latest of a series of monthly meetings to get updates on the Government Digital Service (GDS) Identity Assurance Programme (IDAP) and other identity related projects from OIX members.

The event had 4 main speakers, but before they started there was an update from David Rennie from GDS who was very pleased to announce that they’ve finished contract negotiations with 5 IdPs for the first phase beta release starting this Autumn. The five are: DigIdentity; Experian; Mydex; Post Office; and Verizon.

More details can be found at http://digital.cabinetoffice.gov.uk/2013/09/03/identity-assurance-first-delivery-contracts-signed/

David also announced that the GDS Alpha process (small proofs of concepts/pilots) is now becoming mature and going forwards more projects will be doing show and tell at OIX meetings and whitepapers will be published on the GDS site. GDS is also working with AssureUK, the British Retails Consortium and GSMA to take IDAP forward in a way that can be leveraged in the private sector.

First up was Nicky Kaye from Bracknell Forest Borough Council talking about Bracknell’s e+ smart card. About 10 years ago the Government provided millions of pounds to pilot smart cards in local authorities. Working with a commercial provider (Smart Citizen) and other LAs, Bracknell developed SmartConnect - a highly configurable, web based data capture system that can be licensed to any public body. Currently licensed to about 10 LAs, the terms of the license mean that any developments for one body can be rolled out to all the others as well.

Around 80,000 Bracknell citizens use e+ for a whole range of services including as a library card, discount card, leisure card, bus pass, PASS age verification, recycling reward scheme (bins have tags on and if households are recycling well they get points that can be used for free DVD rentals at the library etc.), housing list photo id, NHS transplant registration as organ donor, and recently Molo rewards - http://uk.molorewards.com/bracknell/ - originally Molo just used NFC on phones, but the company worked with Bracknell to get it on e+. Registration for e+ can happen online or at any council service e.g. the library, which helps cross sell council services to citizens.

At one time e+ had an e-Purse system, but as the range of services has expanded this closed loop system was found to be not suitable. After many discussions with card companies who wanted to be able to reuse the data on the cards (something the Council wasn’t happy with) a trial will be starting in December of a pre-pay Visa debit card on e+ for 90 people within social care. The reason for this is to make sure the processes work for a difficult use case first.

Surprisingly cashless catering (e.g. in schools) is not a current service. e+ had that functionality for 3 years in some secondary schools, but the schools didn't like having to manage someone else's card e.g. they couldn't confiscate or replace it.

Approximate running costs are: cards cost £2.50 each; £30,000 a year for back end systems; readers cost about £30 each.

Given the range of services and the amount of data available on the card, Nicky was asked if anyone had questioned the lack of privacy. The answer is they’ve not had anyone seriously complain about lack of privacy as citizen data is already stored by the council in a number of places. There are obviously associations across the council, but as standard there is no way someone in Environment and Planning can see what books you've taken out, for example.

OIXnet - A registry for Online Trust

President of OIX Don Thibeau then described OIXnet – an online registry of trusted identity data, enabling interfederation, increasing the volume and velocity of trusted transactions to accelerate market growth.

OIXnet is an attempt to build trust as "where there is trust there is market growth"; "exchanges grow markets"; "registries build trust".

Today there is no registry of trust frameworks - so OIX is going to build one.

Don’s slides and more information can be found at http://openidentityexchange.org/sites/default/files/OIXnet%20Overview%20v5.pdf and http://openidentityexchange.org/oixnet, but the aim is for OIXnet to be an authoritative online registry of scheme rules and trust frameworks that will allow communities of interest (COI) to find frameworks relevant to them and also find other COIs of interest to them.

It is unclear how OIXnet will benefit a consumer. Don seemed to think that having a single place to see and compare terms and conditions will be a benefit, however most of the room thought a consumer wouldn’t care about that. However the transparency of a simple, single registry may be helpful.

Steve Rothwell - Eagle Eye solutions

Next up was Steve Rothwell, CEO of Eagle Eye Solutions (http://www.eagleeyesolutions.co.uk/). This was a surprising talk about the benefit of an individual’s identity to commercial companies. I say surprising as the majority of OIX members are in the market of providing data back to consumers or helping them manage their own data (personal data ecosystems etc.). Eagle Eye handles vouchers, coupons etc. on behalf of about 40 high street shops including Tesco’s Clubcard points exchange. Thank to Eagle Eye, Tesco now no longer offers paper vouchers for their points exchange and Tesco now knows where else you shop and eat etc.

Eagle Eye also provides a PayPal solution for high street shops. According to Steve, shops like accepting PayPal as in doing so they get an email address for a customer, which they don't for a card or cash transaction.

Steve doesn’t see a commercial model for companies releasing data back to consumers, there also needs to be a business case for trust frameworks or they won't get adopted and used by commercial services. However there is a very lucrative business case in enabling redemption of services through connected retailers via a single identity – customers like bartering their identity for free pizza.

The final speaker was Paul Makin - Head of Consult Hyperion's Mobile Money Practice

www.chyp.com. This was an entertaining talk about the problems in trying to do Know Your Customer identity checks on nomadic tribespeople. To comply with international law you have to know exactly who is sending money to whom. In some areas this is more straightforward as some governments issue identity cards. However there are many fakes and not everyone has one. There also don’t tend to be many people with passports.

Where id cards aren’t available then you have to rely on a letter from a Pastor (but how do you check the Pastor’s identity or check the letter hasn’t been used multiple time by different people?), or rely on village elders vouching for someone’s identity (where local feuds don’t get in the way).

Assuming someone has managed to prove who they are with the correct documentation you then need to tie that to an electronic token. Biometrics is often suggested, however there are many issues – particularly with fingerprints: poor hydration, elderly people, manual workers all lead to poor fingerprint images. One solution is to turn down the sensitivity from 20 points to 5 points on readers. But this is “one step up from useless”. Despite this, there were still about 10% of people for which this didn’t work in which case they had to appoint a proxy with a good finger – leading to more issues.  

Iris scans were considered, but there are some cultural sensitivities of using cameras. You also need good light and a good camera. However, the increased specification of cameras in mobile phones mean iris recognition may be reconsidered.

Voice was also tried, but most mobiles have very poor quality microphones. One example given was that voice authentication would only work when used in the local launderette – somehow the thrum of the tumble dryers cancelled out other noise to allow the authentication to work.

Contact cards don't work in dusty environments due to abrasion of contacts so the best solution is contactless – cards, stickers or keyfobs.

The final issue is to do with mobile coverage and where there is coverage, there is often not enough capacity.

The conclusion was that 1st world standards can't always be used in emerging markets. There needs to be a compromise and willingness to adapt to local circumstances.

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo
OIX
GDS
IDAP