What is the future of eID? - Difi · Please note that this presentation is for information purposes...
Transcript of What is the future of eID? - Difi · Please note that this presentation is for information purposes...
jsetsaas jonolnessignicat
www.signicat.com
The Trusted DigitalIdentity Company
What is the future of eID?Jon Ølnes
ID-porten Workshop, Oslo, 10.09.2019
V 1.1
jsetsaas jonolnessignicat
Please note that this presentation is for information purposes only, and that
Signicat has no obligation to pursue any course of business outlined in this
presentation or to develop or release any functionality mentioned in this
presentation.
The future strategy and possible future developments by Signicat are subject to
change and may be changed by Signicat at any time for any reason without
notice.
This document is provided without a warranty of any kind, either express or
implied, including but not limited to, the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement. Signicat assumes no
responsibility for errors or omissions in this document.
Disclaimer
jsetsaas jonolnessignicat
Established2007
#Customers> 600
Revenue 240 MNOK
Prognosis 2019
#EmployeesCa. 150
SLAUp to 99.9%
Y2Y growth40%
Presence2006 - Norway 2008 - Sweden2011 - Denmark2013 - Finland2015 - The Netherlands2015 - Portugal2016 - UK2018 – Germany2019 – Belgium
Certifications
Signicat at a glance
#Transactions180M/year
In 2018
QTSP (eIDAS)For timestamping
jsetsaas jonolnessignicat
Peter Steiner - 1993
“On the Internet, nobody knows you’re a dog”
jsetsaas jonolnessignicat
Dave Birch - 2018
“On the Internet, no-one knowsyou’re a Russian bot that’s hacked a fridge
and is pretending to be a dog”
jsetsaas jonolnessignicat
Dave Birch - 2018
“On the Internet, no-one knows you’re a Russian-hacked fridge pretending to be a
Swedish bot pretending to be a Fox News dog”
jsetsaas jonolnessignicat
Steve Wilson
We hardly ever need to know "who people are" online (or in real life for that matter); we just
need to know certain specifics about them
John Erik Setsaas
… but it must be possible to reveal the identity in case they violate T&C or perform illegal actions
jsetsaas jonolnessignicat
What is digital identity?
jsetsaas jonolnessignicat
Your identity – everything about you
Identity may be the way you
perceive yourself
But in this context how you
are perceived by others and
perceived «by society»
Digital
Photos
etc.
Paper
In the minds
of others,
oral
Lies & rumours
Truths
What you publish about yourself
What others publish about you
Public registers
Health information
Identification• name
• age
• address
• national ID number
• much more...
Newsfeeds and social media
Your digital double – digital identity
And much more...
Personas–different aspects of your double
The tax-payer
The traveller
The banker
The patient
The shopper
The professional
The dater
... and
many more
jsetsaas jonolnessignicat
What is electronic proof of identity – eID?
eID, digital way of proving your identity
Digital counterpart to a
physical identity method
Trust that the person is who they claim to be
jsetsaas jonolnessignicat
The link between you and a persona
The tax-
payer
The passport
and ID card
The bank
customerThe online
service customer
Public eID, issued
or accepted by
government
Biometrics
Or service
specific eID Social
media
jsetsaas jonolnessignicat
Reusable, national eID
Potential downsides
• Monopoly, closed business models
• No cross-border solution
• Privacy, tracking of use
• No targeted eID – same information to all
Service providers
One eID to integrate
Society
Well-known, reliable eID
Consumers
One eID for most purposes
The Nordics is in the lead
jsetsaas jonolnessignicat
Identity proofing for eID
Registry lookup
People Org
Existing eID
Physical meetingOptical scanningand selfie
Proof of address
Possession ofphone
Virtual meeting
Chip in documentand biometrics
Possession ofe-mail
My eID
Combine as needed
jsetsaas jonolnessignicat
eID for all
Leave no-one behind
jsetsaas jonolnessignicat
Nationally
Not everybody has a bank account
Or even a national ID number
Government responsibility to ensure
everybody is included?
jsetsaas jonolnessignicat
Globally – eID for all
About 1 billion people do not have an official proof of identity
May not obtain banking services, health care, education, voting....
Sierra Leone: Biometrics and
blockchain mean just a
thumbprint can open a bank
account
Kenya: Building refugee
IDs with blockchain
UNICEF urges methodical and
wholistic approach in Africa’s race
for digital identity
African Union to Consider Good
Digital Identity Principles at Summit
India: World’s largest
biometric ID system
jsetsaas jonolnessignicat
Authentication
How to show that you are you
jsetsaas jonolnessignicat
- Username and password
- Main challenge: the user⁃ …forgets
⁃ …writes them down
⁃ …uses the same password for different sites
⁃ …shares password
⁃ …uses “common” passwords
Knowledge based authentication
Does not work well
jsetsaas jonolnessignicat
What about biometrics?
- Can be made very secure
- Easy for user, nothing to remember
- Requires a trusted environment
⁃ Fresh measurement from a trusted sensor
⁃ Never assume biometric info to be secret
⁃ Must protect against copy and replay attacks
jsetsaas jonolnessignicat
Biometrics on mobile devices
A dozen different mechanisms
Physiological biometrics
Behavioral biometrics
Are mobile devices trusted environments?
jsetsaas jonolnessignicat
What we really need
- A personal device bound to you as an individual
⁃ That can do crypto processing (which humans cannot)
⁃ That represents you
⁃ That does not put extra stress on the user
jsetsaas jonolnessignicat
Crypto and binding to identity information
Different personas
Targeted identity
jsetsaas jonolnessignicat
The device “knows” that it’s in your possession
John VikingNot John Viking
jsetsaas jonolnessignicat
Example Apple Pay with watch
No need for PIN
jsetsaas jonolnessignicat
Vision for the future of authentication
We are all creatures of habit
jsetsaas jonolnessignicat
Trust score Profile
Trust score
MachineLearning
Fraud
patterns
jsetsaas jonolnessignicat
Authenticate
Transact
Yes
No
Trust score
Risk OK?
Transaction
value
Determine risk
jsetsaas jonolnessignicat
Self managed identities
SSISelf-Sovereign Identity
I am in control of my identity data
I decide what to share with whom
Concept
Data is in my owndata store
I’m the only one with the access-key
SSISelf-Sovereign Identity?
We forget
We lose things
We do not take backups
We are careless
1/3 of all bitcoins (43 BUSD) are lost,
by “trained professionals”
Are people reliable?
jsetsaas jonolnessignicat
People do not even understand passwords
⁃ forgets
⁃ writes them down
⁃ uses the same password for different sites
⁃ shares password
⁃ uses “common” passwords
We cannot give them even more responsibility
People want somebody to call
when they have a problem
jsetsaas jonolnessignicat
-What?
⁃ Manages my digital identity on my behalf
⁃ … while I am in control
-Why?
⁃ Liability
⁃ Somebody to call when I have a problem
⁃ Risk monitoring
⁃ Ensure SLA
Identity custodian – user perspective
- I can choose which to use
- I can move when I want
- I can be my own
⁃ However, I would have to call
myself if I have problems
jsetsaas jonolnessignicat
- Business model
⁃ Trust service
⁃ Banks are under pressure
⁃ User interaction
⁃ People pay for insurance
⁃ Service providers will pay for
validated information
Identity custodian – Business perspective
-Who do you trust (Nordics)?
signic.at/btob3
Signicat research: The battle to On-Board III
Source:
jsetsaas jonolnessignicat
Summary
jsetsaas jonolnessignicat
Vision for the future
- Biometrics & personal devices⁃ Non-intrusive authentication
- Combination of “national” eIDs and targeted eIDs
- Identity custodian⁃ Covering my back (recovery, revocation and next of kin)
- I decide what to share with whom (personas)
jsetsaas jonolnessignicat
www.signicat.com
John Erik Setsaas
VP of identity and innovation
jsetsaas
Jon Ølnes
Product Manager Nordics
jonolnes