Next generation platform
By Dave Birch posted May 29 2008 at 6:51 PM[Dave Birch] With the U.K. newspapers focussing on ID cards again, now that the shortlist of the only suppliers who wanted to be on a shortlist has been announced, I wonder if it isn't time to abandon even talking about ID cards, when the practical implementation of identity for the foreseeable future is going to be centred on mobile phones. Since mobile phones can do a great many things that cards cannot, they provide an obvious means to deliver some useful identity services to both individuals and to organisations. Examples might be simple, secure authentication for online services.
Forrester Research analyst Bill Nagel claimed that mobile authentication has taken hold in many countries, and that mobile signatures are a "logical extension... Nearly all of the banks and operators we spoke to said that the technology operates flawlessly and that the experiences of customers who use the system are very good," he said.
This is an attractive vision. The idea of making the Internet more secure sounds promising at first, but it has many negatives as well. If we make the Internet more difficult to connect to and harder to use, we lose the creative dynamic around it. Therefore, it kind of makes sense to leave the Internet cheap, flexible and insecure and kick the security layer off the end of the Internet and into the phones. Phones start off from a more secure base, because they already have tamper-resistant hardware (ie, the SIM) in place and since this hardware is a general-purpose computer, there is plenty more it can do. This idea fits rather well with the identity-as-utility view that we have been putting forward for some time. The mobile phones works perfectly as the "identity gadget", the universal faucet that we will all use to turn identity on and off (emergency stop: bad analogy detected). We're hardly the only people working along this line of thought.
From Marco, a great HP paper on Identity-Aware Devices, describing some PoC work HP did with Intel around the Liberty Alliance's Advanced Client specifications.
In the HP paper, they talk about "identity-aware devices", which I rather like as a way of thinking about practical solutions. They point out that in order to function in a sophisticated environment (in this case, a federated identity environment) the identity-aware device needs some kind of trusted module that can function as an identity provider. This is exactly how I see the SIM: there's no need to invent anything new, just use find a way to get the mobile operators and others to co-operate to implement the kind of ideas that we can all already see are the way forward.