[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn't the only person who thought this, by the way.

In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.

[From ContactlessNews | Look for renewed interest in enterprise common access card programs in 2009]

I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what's out there on the basis that it's much, much better than nothing?

I have some sympathy with the view that it is better to go with the grain, and I think this is true of consumer services as well. Look at the problem of improving card security for online transactions. So far the industry has come up with 3D Secure (3DS), but it's proving difficult to get universal coverage and as long as criminals can use stolen card details somewhere then they will continue to do so. And, I suspect, if there was universal coverage then criminals would simply switch their phishing attacks to 3DS passwords. What to do? Well, if the banks come up with a convenient and simple authentication solution, then it will find its own path into the marketplace and there will be no need to "bully" either merchants or consumers.

If banks truly cared about offering the right solutions to the problem, they wouldn't have to make solutions mandatory.

[From MANDATORY Verified by VISA and UCAF SPA]

Does this mean getting rid of 3DS and replacing it with someone consumers do actually use, like Facebook logins or something? No! One of the more interesting ways of leveraging 3DS might be to integrate it into some other, Internet-based, authentication scheme. A good candidate might be OpenID. Now, as previously discussed, OpenID needs strong authentication to be useful for business. 3DS could provide a mass market 2FA addition to OpenID, A direction that might be explored is what you might called "4D Secure", or 4DS: instead of using bank authentication to log in to something, use bank authentication to log in to an OpenID provider and then use OpenID to log in to things. This has the advantage that service providers site could implement open source standard OpenID solutions rather than interface with 3D Secure. So I go to log in to Tesco using OpenID, I do an OpenID log in using my Barclays credit card and USB contactless interface (my Barclays credit card has PayPass) or the Barclays "thingy" that I already have and off I go. Surely this would be attractive to merchants, since they might even want to run their own OpenID service for their loyal customers.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

authentication, banking, internet, standards