cidsafe project, 23 september 2010, for eema event
DESCRIPTION
cidSafe, creating a solution for a safe consumer identity in the Netherlands. As presented on 23rd September for the EEMA RIGTRANSCRIPT
cidSafecreating a solution for a safe
consumer identity in the Netherlands
Maarten Wegdam, Novay
EEMA Benelux RIG “e-Identity as a business”
23rd September 2010 @ Everett
Novay?
• Dutch ICT research institute
• Formerly Telematica Instituut
• Innovation projects
• Networked innovation
• Independent, not-for-profit
• ~55 researchers, multi-disciplinary
• Customers include financial sector,
government and semi-government
2
Example identity related projects
• STORK project – lead for WP2 that defined the Levels
of Assurance
• SURFfederation – 700k+ identity federation for higher
education in the Netherlands
• Identity-as-a-Service for B2B – for RDW
• ePassport for online authentication – for NLNet
• eRecognition review – for B2G identity, EZ/ICTU
• Mobile PKI –technology scouting / assessment for
SURFnet/Kennisnet
3
The consumer identity problem
An old problem
4
The user Service provider
• High trust is too expensive
• People forget passwords
• Lack of (validated) attributes
• Low conversion
An old (?) solutionexternalize the identity with an identity provider
(authentication + attributes)
Why not (really) here yet?
5
Three big reasons
market
entry
issues
lack of
trust in
IdP
privacy
issues
Market entry issue
6
100% coverage of consumers
Chicken-egg
• Identity-providers vs relying parties
• Not any more for basic trust (?)
Unclear value chain
Trust and privacy issues
Do you trust all identity providers?
• Security risk
• Business continuity risk
• Privacy risk
Through technical means, when possible …
By making the identity provider ‘behave’
• Through laws
• Through competition
• By agreeing on a set of rules7
Our approach: Reduce the need to trust
the identity provider
8
Making the IdP behave and the
role of government
Decreasing regulation:
Note: models 1 to 3 require some form of
monopoly or regulator
Government issued
Government regulated
Trust framework
Free market (tech standard)
A trust framework
A set of rules that all players agree upon
To have more trust and a healthy ecosystem
• New identity providers can join
• Easy assess for RPs (scalability)
• Balancing interests between IdPs, RPs and users
• Privacy assurances
• Governance / audits
9
Trustworthiness of an identity
10
Authentication
mean
Identity binding
Level of Assurance
Consumer & citizen identity in NL
• There is a citizen identity solution: DigiD
• Issued by snail mail to home address
• Two-factor: username/password + SMS OTP
• BUT: cannot be used in the private sector
• Except healthcare & pension
11
cidSafe initiativea safe consumer identity
• High-trust consumer identity
• Collaborative project by stakeholders
• Goal: breakthrough for high-trust consumer
identity in the Netherlands
• Short-term goal: if and how this is feasible,
with a focus on financial sector
12
Partners
• Achmea, Aegon, Adfiz, Nationale Nederlanden, OHRA,SNS Reaal
Sounding board
Who
13
cidSafe trust framework:
starting points for our solution
1. General usage
2. High trust
3. Easy to use
4. Cost efficiënt for service providers
5. Privacy consious
14
Some cidSafe challenges
15
Evangelizing with relying parties
Openness vs trust
Business Model
Role of government
Take aways on cidSafe
• cidSafe is market initiative for high-trust
consumer identity in NL
• Trust framework approach
• Breakthrough by jointly working on trust
framework
16
More information:
http://cidsafe.novay.nl
http://maarten.wegdam.name