cidSafe project, 23 September 2010, for EEMA event

cidSafecreating a solution for a safe

consumer identity in the Netherlands

Maarten Wegdam, Novay

EEMA Benelux RIG “e-Identity as a business”

23rd September 2010 @ Everett

Novay?

• Dutch ICT research institute

• Formerly Telematica Instituut

• Innovation projects

• Networked innovation

• Independent, not-for-profit

• ~55 researchers, multi-disciplinary

• Customers include financial sector,

government and semi-government

2

Example identity related projects

• STORK project – lead for WP2 that defined the Levels

of Assurance

• SURFfederation – 700k+ identity federation for higher

education in the Netherlands

• Identity-as-a-Service for B2B – for RDW

• ePassport for online authentication – for NLNet

• eRecognition review – for B2G identity, EZ/ICTU

• Mobile PKI –technology scouting / assessment for

SURFnet/Kennisnet

3

The consumer identity problem

An old problem

4

The user Service provider

• High trust is too expensive

• People forget passwords

• Lack of (validated) attributes

• Low conversion

An old (?) solutionexternalize the identity with an identity provider

(authentication + attributes)

Why not (really) here yet?

5

Three big reasons

market

entry

issues

lack of

trust in

IdP

privacy

issues

Market entry issue

6

100% coverage of consumers

Chicken-egg

• Identity-providers vs relying parties

• Not any more for basic trust (?)

Unclear value chain

Trust and privacy issues

Do you trust all identity providers?

• Security risk

• Business continuity risk

• Privacy risk

Through technical means, when possible …

By making the identity provider ‘behave’

• Through laws

• Through competition

• By agreeing on a set of rules7

Our approach: Reduce the need to trust

the identity provider

8

Making the IdP behave and the

role of government

Decreasing regulation:

Note: models 1 to 3 require some form of

monopoly or regulator

Government issued

Government regulated

Trust framework

Free market (tech standard)

A trust framework

A set of rules that all players agree upon

To have more trust and a healthy ecosystem

• New identity providers can join

• Easy assess for RPs (scalability)

• Balancing interests between IdPs, RPs and users

• Privacy assurances

• Governance / audits

9

Trustworthiness of an identity

10

Authentication

mean

Identity binding

Level of Assurance

Consumer & citizen identity in NL

• There is a citizen identity solution: DigiD

• Issued by snail mail to home address

• Two-factor: username/password + SMS OTP

• BUT: cannot be used in the private sector

• Except healthcare & pension

11

cidSafe initiativea safe consumer identity

• High-trust consumer identity

• Collaborative project by stakeholders

• Goal: breakthrough for high-trust consumer

identity in the Netherlands

• Short-term goal: if and how this is feasible,

with a focus on financial sector

12

Partners

• Achmea, Aegon, Adfiz, Nationale Nederlanden, OHRA,SNS Reaal

Sounding board

Who

13

cidSafe trust framework:

starting points for our solution

1. General usage

2. High trust

3. Easy to use

4. Cost efficiënt for service providers

5. Privacy consious

14

Some cidSafe challenges

15

Evangelizing with relying parties

Openness vs trust

Business Model

Role of government

Take aways on cidSafe

• cidSafe is market initiative for high-trust

consumer identity in NL

• Trust framework approach

• Breakthrough by jointly working on trust

framework

16

More information:

http://cidsafe.novay.nl

http://maarten.wegdam.name