What's in-store?

[Dave Birch] I was looking something up and came across a post that I'd made about a report from TNS Global on the "New Future in Store" and I noticed that of a list of new technologies that they interviewed the European public about, fingerprint payments were rated top. This struck me as incongruous, given the commercial failure of fingerprint technology-based payment systems at POS, including in Europe.

Albert Heijn has currently decided not to follow up on the trial, citing ‘security issues and vulnerability to fraud’. The participants however were enthusiastic about the payment method and applauded the fact that they could complete their purchases without needing their debit cards, cash or loyalty cards.

[From The Paypers. Insights in payments.]

There was a similar trial in the UK, with the Co-Op, that was similarly discontinued. That's not to say that biometrics are of no interest to retailers, because there are some process that can be greatly be improved through the use of the technology.

The Co-operative Group is to use fingerprinting machines to track staff hours. The society plans to install biometric data collection terminals in its food stores over the next two years to record the working hours of its 55,000 staff.

[From thegrocer.co.uk | Articles]

This illustrates a general point from my talk at Biometrics 2009, which is that the commercial payback on biometrics as part of an overall identity management strategy looks much better when it comes to "staff" applications rather than "customer" applications. That's not to say that biometrics will not become a customer choice in the future.

Collision

[Dave Birch] Here at Consult Hyperion we've recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there's another less tangible reason for being interested in it: because once the US government has chosen something as a "standard", then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I"m not the only one who has been reflecting on just how significant the US government's support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.

But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.

[From Burton Group Identity Blog: US Government Identity News]

I was involved in some discussions with a government department a few months ago -- long before the US government announcement -- during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with "soft" OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook "Identity", then I'm sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to "hard" OpenIDs (by which I mean 2FA OpenIDs).

The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of "private" digital identities. I think that, as Burton note, the US government's decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.

after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities

[From Burton Group Identity Blog: US Government Identity News]

Personally, I think that the government ought to be a "gold standard" identity provider as well as an identity oonsumer, but that's another issue.

Air side

[Dave Birch] The whole business of air travel is a laboratory for experimenting at the boundary between public and private identities, where national and international agreements interact with corporate alliances, outsourcing and value chains to produce a complex environment that needs and benefits from change. Speaking as a frequent traveller, and happy near-weekly user of Heathrow's Terminal 5, it seems to me that air travel has got considerably quicker, more efficient and simpler in the last couple of years. I print my boarding pass out at home, jump in a cab or on the train, nip through T5 to the lounge and then on to the plane -- the only hold-up in the whole process is the queue for security on the way out (sometimes this can be 10-15 minutes even at T5) and the queue for passport control on the way in.

However, the need to print a physical boarding pass, even using 2D barcodes rather than a magnetic stripe, and the lack of an efficient bag drop system means that despite the universal electronic ticket for air travel, more than two-thirds of passengers still went to a check-in desk. Where to look for the next improvement? Well, I'm sure like most people I think that the key technology that will change this is the mobile phone. If the mobile phone allows you to check in and obtain a boarding pass, and a kiosk at the airport allows you to self-tag (clearly there are some security issues around this) then the flow through airports would increase significantly and the costs would reduce accordingly.

In fact I saw a presentation for one of the companies that supplies infrastructure to airports recently an they were talking about their experiences with the mBCBP (mobile bar code boarding pass) -- they said that "we only care about Blackberry, iPhone and high-end smartphones", which means we can assume big, clear screens -- but still the current 2D barcode solutions don't carry enough data for the airlines to store more than three legs plus frequent-flier and other data.

So why am I looking at this space? One of the biggest players in the industry, IER, is advocating the "pass & fly" sticker solution and I saw them present on the Air New Zealand and Air France case studies which, I have to say, was rather impressive.

Another model that the UK could try

[Dave Birch] I'm going provide a case study on the use of multi-application smart cards with EMV "chip and PIN" software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.

Identity folks will have to understand a little about the payment folks' EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).

SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated -- they have a cryptographic co-processor to handle asymmetric cryptography and take longer to "personalise" -- but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.

For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the "wedge attack". It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.

OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application's "guts" are already on the card because they are used by the EMV application. What's more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card's public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn't.

Here's a real example.

4D Secure

[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn't the only person who thought this, by the way.

In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.

[From ContactlessNews | Look for renewed interest in enterprise common access card programs in 2009]

I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what's out there on the basis that it's much, much better than nothing?

Max von Snijder, European Biometrics Group

[Dave Birch] Max von Snijder is CEO of the European Biometrics Forum and chairman of the International Biometrics Advisory Council (IBAC). He is coordinator of BioTesting Europe. One of the leading independent biometrics experts in Europe, Max is involved in numerous workshops, committees and expert groups, such as the Consortium on Security and Technology of the EastWest Institute, The Porvoo Group, the CEN Working Group on Integrated Border Management, CEN Biometric Focus Group. He is Founding Member of the IFIP Working Group on Identity Management (WG11.6) and member of the ePractice Working Group on eID. He recently became member of ThinkTrust, a European Think Tank on 'Investigating Security, Dependability, Trust, Privacy and Identity from ICT and social perspectives', funded by the European Commission.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Hadi Nahari, PayPal

[Dave Birch] Hadi Nahari is the Principal Security Architect at PayPal. He has over 18 years of extensive software development experience, designing, developing, deploying and verifying complex software application and infrastructure of varying scales. In this podcast, he talks about some of the challenges in identification and authentication for large-scale customer-facing onine businesses.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

Announcing Identity & Privacy 2009

[Dave Birch] Here's another date for your calendars: London, 14th an 15th May 2009. The Digital Identity Forum and the Enterprise Privacy Group will be hosting the first Identity & Privacy Forum, sponsored by Consult Hyperion with support from HP, Microsoft, Symantec, Verisign and VoicePay. The Forum will be held at the Guoman Charing Cross Hotel, London, and I'm looking forward to seeing you there. Toby Stevens and I will be sending out a detailed agenda in a couple of weeks, but just as a heads-up there are going to be four sessions: "a snapshot of electronic identity", "co-evolving privacy and consent", "sharing front line experiences" from the public sector and "catching up with biometrics".

We'll be sending out the agenda in a couple of weeks and fleshing out the expert panels. As soon as we do, you'll be able to buy tickets!

Privacy-enhancing anti-technology in Europe

[Dave Birch] There's been another rash of stories about fingerprinting and the linking of identity and authentication and I thought I'd take a look at a few of them after my afternoon at the Social Market Foundation. Let's begin by looking at a mass market use of biometrics...

Under a new law published Monday, Mexico will start a national register of mobile phone users by fingerprinting all customers in an effort to catch criminals who use mobile phone to extort money and negotiate kidnapping ransoms. The new law, which will be in force this April, will give mobile phone companies a year to build the database of their clients - complete with fingerprints and any other personally identifiably information.

[From New Mexico Law to Fingerprint All Mobile Phone Users]

Fingerprint mobile phone users could never happen here, of course. Well, not for a while. But fingerprint mobile providers might...

Vodafone dealership DigitalMobile is the latest employer to introduce fingerprint scanning for staff. DigitalMobile spokesman Will Allan says the scanners have been installed in the company's 22 stores around the country and most of its 190 staff are using them to clock in and out.

[From Vodafone sales staff asked to scan in - New Zealand's source for technology news on Stuff.co.nz]

This seems pretty reasonable: using biometrics to make life easy more people is a much more convincing business case and, as far as I can see, a much more effective use of the technology than biometrics for security (outside nuclear missile launch codes and that kind of thing).

At whose fingerprints?

[Dave Birch] I went to the Social Market Foundation chat about biometrics sponsored by the Identity and Passport Service (IPS). The speakers -- Jim Wayman from San Jose State University, Peter Hawks and Hugh Carr Archer (Aurora) from our friends at IAFB, Farzin Deravi from the University of Kent and forum friend Toby Stevens from EPG -- got a good discussion going although personally I thought it was a little too short. I was very interested in some of the points being raised from the floor and would have appreciated more time for expert reflection from the panel.

Jim started his talk by referring to the "colourful" history of the future of biometrics, which appealed to my current obsession with paleo-futures at the CSFI, and made a couple of points that I think are worth opening up for discussion here. First of all, he made the key point that biometrics doesn't solve the problem of identification but once you have identified someone then you can use biometrics to link them to that identity. Biometrics is easy, identification isn't, and biometrics do not guarantee the validity of non-biometric data in database (this is why I keep promoting the "biometric only" plan from the UK National Identity Register). Secondly, he made me reflect on the difference between schemes where the "users" care about multiple uses or not. So, if I have a season ticket for the London underground, I don't care about my brother using it on the days that I'm not. But I don't want him using my credit cards on days that I do not. So why would you need a biometric for a bank card? Good point. I think that the answer is that if we want to use cards for larger transactions then we can't use PINs because PINs are too easily snaffled, but I'm going to think some more about this and post in the future.