You are here
- Home
- Access and Identity Management (AIM)
- Groups
- OIX Mobile and Identity - from AQAA to Zapp (via Moshi Monsters)
Group administrators:
OIX Mobile and Identity - from AQAA to Zapp (via Moshi Monsters)
The first Tuesday of each month can normally find a mixture of commercial, government and other public sector people with an interest in identity management attending Open Identity Exchange / Identity Assurance Programme (OIX/IDAP) meetings. Convened by the Cabinet Office the main focus is to provide an update on the IDAP Alpha projects, but yesterday's was also a joint meeting with EEMA (the European Association for e-identity and security) and had a focus on Mobile and Identity.
Presentations should be available from http://oix-idap.mvine.com/, but highlights included the following:
Dr Rachel O'Connell talked about Attribute Quality Assured Authentication (AQAA) and how it can help with online age verification (slides at wp.me/p34Nmr-dH):
* Age verification is burdensome, has little or no elevation of assurance, has no standards and is open to repudiation.
* Attribute quality assurance is a business enabler, allows granular assurance, is privacy preserving and works with trust frameworks.
* Under the STORK programme, Austria and Iceland have piloted 'Safer Chat' that enables 14-18 year olds to use their e-ID card to enter chat rooms.
* A range of data sources could provide attributes for a similar UK pilot: IDaaS platforms (e.g. Avoco); UK federation IdPs; banks etc.
* NIST has awarded a grant to PRIVO to develop a minors’ trust framework to help online service providers comply with the requirements of the Children's Online Privacy Protection Act (COPPA) - http://www.nist.gov/itl/nstic-091713.cfm.
* AQAA is reaching a tipping point, but still 2 years off...
* Facebook can figure out which family members are related so could allow under 13s on line with their parents' permission.
* A couple of years ago the UK Council for Child Internet Safety convened meetings of payments providers and others. One solution they came up with was a sub-account idea for parents to give to their kids - Virtual piggy has set up a business for this - http://www.virtualpiggy.com/.
* 20-40% of website registration emails go to spam e.g. Moshi Monsters’ registration process requires a child to enter their parent’s email address. AQAA can remove this barrier.
* Trust elevation? Moshi Monsters need to be compliant with COPPA so is looking at this from a regulatory and a business point of view.
* Businesses want someone to create this infrastructure for them.
* Commercial models need reusable tokens.
* The average age of first getting a mobile phone is now 7 years old (quote from the audience).
Andy Rudd, Mobile Identity, GSMA presented on 'Unlocking the potential of identity':
* The GSMA is trade body representing the interests of mobile operators worldwide http://www.gsma.com/. They also hosted yesterday's meeting.
* The GSMA is involved in AssureUK - an OIX alpha project to develop a UK commercial trust framework linking attribute providers, such as banks and telcos, with identity providers and relying parties.
* Mobile Identity is one of 6 GSMA strategic programmes (http://www.gsma.com/mobileidentity/) with the aim of ensuring security and interoperability.
* Earlier this year they worked with GfK to conduct research to "provide an integrated view of the UK market with respect to digital / mobile identity". See http://www.gsma.com/mobileidentity/mobile-identity-research-uk-research-summary
* 59% of UK consumers find Mobile Identity services appealing.
* AssureUK has a 70+ page trust framework document at http://www.gsma.com/mobileidentity/assureuk, but you need to be a Work Group member to access it.
* The resources section also has mobile identity examples from Japan, Turkey and Sri Lanka.
Developments in Mobile Payments - Les Blair, Account Director - Public Sector, Vocalink:
* Zapp (zapp.co.uk) is a new brand for mobile payments (to differentiate from Vocalink's core Faster Payments business).
* Zapp is built on a request to pay token. So a plumber, say, can send a request to pay SMS to a client's mobile, which can then be used to pay directly from their bank account.
* The cost will be below the rate for a direct debit and is real time so good for small businesses.
* Zapp will 'radically reduce 1st and 3rd party fraud' as the client/customer doesn't have to hand over bank details or card numbers.
* Big claim is that Zapp will replace debit cards, cash and cheques and possibly credit cards.
Identity from a Mobile Operator's Perspective - Andy Tobin, CTO O2 Money
* The 4 UK mobile operators are cooperating to pilot a secure mobile authentication capability that will work on 99% of handsets.
* They are piloting a data matching and provisioning service.
* The operators are working to create standards for interoperability in the same way they cooperated on SMS.
* Use cases include an SMS sent from a government website as part of a transaction e.g. HMRC wants you to login, enter PIN. Apparently this is strong enough to be legally binding.
* Attribute matching: HMRC could (if you allow) check the details they have match what O2 has.
* Can also use for attribute provisioning e.g. location data.
Ali Rezvan from Verizon described the Internet Living Verification (ILV) Alpha project, which used Facebook to support proof of identity.
* The idea is that your number of Friends, frequency of updates, age of Friends, duration of listings etc. can be used to show that you are a living individual. This is undertaken by http://trulioo.com.
* It also explored whether using a social media login could offer a new route for citizens in the uptake of digital transactions.
* Feedback from testers was mixed. Some people wanted to use social media and others didn't. There was also a mistaken view that using Facebook credentials to login to a government service meant that the government could see your Facebook activity and that your Facebook Friends could see that you've accessed a government service.
* Ali also demonstrated a Verizon 2FA solution that used QR codes, which was very similar to https://tiqr.org/
Finally, Ian Litton of Warwickshire County Council presented the outcomes of the Warwickshire Alpha project. This was the same presentation he gave at #IGIdentity, which I've already described, however he did announce that the White Paper on the project is now available at http://oix.mvine.com/networks/155/portfolio.html.