By
davebirch posted Dec 30 2006 at 11:46 AM
[Dave Birch] I know it's rather trite to point this out, but moving to stronger authentication of digital identities does not by itself automatically mean more "security" unless the human factors are taken care of. Here's a post I came across while looking for something else to do with a project I'm working on. It comes from inside a large banking organisation that has adopted two-factor authentication for remote access to corporate resources -- surely a sensible policy to protect shareholders' investments. The person in charge of this shift writes to the staff:
I know there have been a lot of complaints about the new RSA tokens that we've issued, in that it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring. Here's a solution that will help you keep them together. Get a bigger key ring (we've got a handful, first come first serve) and put the token on the key ring using the small diameter ring on the token. Insert the laptop's power cord through ring, make a half hitch loop on the cord, fastening the bigger ring to the cord.
In other words, tether the token to the access device that's at risk.
Technorati Tags: internet, mobile, security
Continue reading "Two fingers to two factor" »
By
davebirch posted Dec 20 2006 at 9:06 AM
[Dave Birch] Driving licences are always a good example to study in the world of digital identity because they are making the transition from dumb to smart, as ID cards are, and could clearly be used to pivot across real and virtual services. The European Parliament has cleared the way for a new law harmonising EU driving licenses across the European Union, but the new license will not be obligatory until 2033! There are currently 110 driving licenses held by almost 200 million people - which range in shape, size, the length of time they are granted for and the ease with which they can be counterfeited -- so there are obvious efficiencies to come from replacing them. However, the law will only come into practice in 2013 – when newly-issued driving licenses must be in the new ID1 format – and will then set a firm schedule for replacing all of the old kinds driving licences during the next 26 years.
Technorati Tags: identity, interoperability
Continue reading "Driving forwards" »
By
davebirch posted Dec 14 2006 at 8:08 AM
[Dave Birch] The International Telecommunication Union (ITU) has issued a report "digital.life" calling for more "joint efforts" to set up a coherent digital identity scheme that should be able to facilitate on-line interactions while protecting data and alleviating privacy concerns. What caught my eye was that the report asks for digital identity management that is based on the use of "partial identities" depending on context and user choice. This sounds very much like the real-digital-virtual identity model that we use whereby different groups of virtual identities are bound to different digital identities.
The report was drafted by a team of analysts from ITU's Strategy and Policy Unit, covering chapters on "going digital," lifestyle, business, identity and living in the digital world. Chapter 4, called "identity.digital" will be the one of most interest to blog readers. It's not bad: it covers a lot of the main issues in a fairly readable way and section 4.3.3 covers the benefits of pseudonymity as an operational mode, making the critical point that it should be up to individuals to determine the subset of their attributes that is communicated in order to effect a transaction.
Technorati Tags: pseduonymity, security
Continue reading "More converts?" »
By
davebirch posted Dec 11 2006 at 10:53 AM
[Dave Birch] You may remember the DIFRWear shielded wallets and passports that we were talking about a couple of weeks ago. I thought people might be interested to know that they arrived, and they're very nice. But do they work? In other words, if you put a passive ISO 14443 card or passport inside, do they stop terminals from seeing them?
Technorati Tags: contactless, e-Passports, identity, RFID
Continue reading "Tinfoil tests" »
By
davebirch posted Dec 9 2006 at 7:54 PM
[Dave Birch] The award-winning BankID initiative in Norway is a very useful case study. It shows what can be done to implement digital identity services when there is a working partnership between people who have an application that needs digital identity services (ie, banks) and people who have the technology platform to deliver them (ie, mobile operators). Is this a special case? One might argue that Norway is a small market, a homogenous society, a place where the co-operation between banks and the operators is unusually close. Norwegians would co-operate in this way, others wouldn't.
Technorati Tags: authentication, banking, identity, mobile, security
Continue reading "Norwegians would" »
By
davebirch posted Dec 1 2006 at 3:34 PM
[Dave Birch] At the Intellect Identity Management Group meeting today (Chatham House rules), there was a presentation on the current situation with regard to identity cards in the UK followed by a discussion with industry representatives. One part of that discussion was about the potential for "radical redesign" of the UK's proposed national ID card scheme. I think what is meant by this is an attempt to cobble together something from existing databases (eg, national insurance) that can be called a new scheme but would save lots of money. But what should the goals of a redesign be? A potential list was put forward, including helping to prevent identity theft and helping to get e-government off the ground and it got me thinking that surely what the government wants is for UK residents to actually want an ID card rather than have to bully them into getting one. But what kind of things could it do? Most of the interactions with central government are infrequent (eg, filling in your taxes) and most of the interactions with local government (eg, booking at the leisure centre) don't need high security, so an ID card wouldn't make much of a difference to any of these "use cases". But if an ID card is viewed as a digital identity, then the question becomes one of binding it to higher value virtual identities that need protecting: your Second Life identity, your chat room identity, your iTunes identity maybe. How can an ID card support those identities? If it's not mandatory, then no-one will want unless it supports them in useful ways.
Technorati Tags: business, ID cards
Continue reading "How to make an ID card useful" »