You have likely heard me preach about the value of OIX White Papers at an event or via my blogs in the past. OIX White Papers are more “ silver buckshot” than “silver bullets” in that they are always pragmatic, objective and take one of two perspectives: a retrospective report on the outcome of a given project or pilot or a prospective discussion on a current issue or opportunity. They are authored by independent domain experts and are published on all OIX websites and thus freely available.
Today we published “Exploring the Role of Mobile Identity Assurance” white paper by Nick Foggin. This white paper summarizes the outcomes from the UK’s first mobile network operator alpha trial. Mobile phones are becoming the device of choice for digital transactions. The UK Cabinet Office wanted to catalyze the role UK mobile network operators might play in establishing trust in such digital transactions.
The development and publishing process with Nick was so unique that he documented his personal experience in developing the white paper in the blog below:
When I was asked to write a white paper for the OIX on the subject of the recently completed alpha trial – in which the UK’s four major mobile operators (MNOs) and five Identity Assurance Providers (IDPs) participated – I was, to be frank, skeptical. The very concept of a 9-way cooperation sounded improbable at best, and I approached the situation with considerable nervousness. I was concerned that the parties would have collided rather than collaborated. Finding something meaningful and interesting to write about within such a context was likely to be challenging, I reasoned.
My preconceptions, it turns out, were entirely wrong. Brought together at the invitation of the Cabinet Office, and supported by the OIX and the GSMA, the organisations involved had not only managed to collaborate productively with one another, but also, they had managed to create something entirely innovative and exciting. The purpose of the alpha trial was to examine ways in which mobile could be used to enhance the identity assurance services that IDPs have been contracted to develop by the Cabinet Office. This was an experimental process, and there was no guarantee that the participants would agree on or develop anything at all. The fact that they emerged from the process with a solution that appears – at least on the face of it – to add substantial value, is remarkable.
So what does the solution do? In short, the solution adds a new layer of security and surety to already robust processes. The IDPs have developed solutions that allow each individual / citizen to create a secure identity, for use in accessing government services on the internet. These identities have a high level of assurance – that is to say that the IDPs are able to verify the data that individuals submit when creating an identity, and assure themselves that the individual making a claim on an identity is in fact the individual to which the identity relates. To make use of these identities, individuals use a username and password, and a PIN code, which is sent to their mobile phone (they submit their mobile phone number as part of the registration process). There are a couple of challenges in this approach: firstly the IDPs are not able to independently verify that the mobile number submitted is the right one; secondly, the PIN code methodology used (one-time passcode) is not necessarily the most secure approach available.
So the MNOs and the IDPs – working together – came up with a new approach. They substituted the one-time password solution with a secret PIN solution, based on wireless PKI. That change alone would likely have added to the robustness of an already secure solution. But they didn’t stop there. They also created a platform via which IDPs could (a) verify that the mobile phone number submitted by an individual is correct, and (b) request other attributes relating to an individual whenever their IDP identity is invoked. But importantly, both such uses of MNO-held customer data require specific consent to be granted by the individual. The solution effectively asks the individual “do you mind if we ask your mobile operator to confirm that this is your mobile number?” when registering, and when making use of their IDP identity, the individual might be asked “do you mind if we ask your mobile operator confirm that your phone has not been reported lost or stolen?” The ability to access MNO-held customer data is potentially extremely valuable for the IDPs – once customer consent has been granted, it allows for a real-time check of various attributes, to complement detailed but historical data, such as credit reference information, to which IDPs also have access. But most importantly, the approach benefits individuals. First and foremost, it makes identity theft and associated fraud materially more difficult. Secondly, it actually makes sign in easier: instead of having to input a username, and password, and one-time passcode, the user only has to enter their mobile phone number via the browser on their PC or tablet, and complete the sign in process on their mobile phone by entering their secret four-digit PIN. In the knowledge that the MNO-held data would only be used as a means of verifying their identity, the individuals involved in trialing the solution were happy for their data attributes to be shared.
To me, the most important part of the solution is its inherent differentiation. It places the individual at the centre of all processes, and asks for consent every time their identity is invoked and attributes are passed. This is a welcome departure from much of what happens online today in the name of identity management.
Putting the customer at the centre of the solution didn’t happen by accident. Before the participants in the alpha trial even began thinking about what the technology or data could do, they drew up a set of guiding principles to inform the whole process. Without listing them out here, the confluence of those principles was transparency. If data relating to an individual is required, ask for consent – and be specific. The solution goes as far as detailing what information is being requested from the MNO, and why.
So, my preconceptions suitably shattered, I found myself involved in writing up a process that – though far from perfect – was genuinely dynamic and exciting. Of course there were clashes of opinions and personalities. There were periods of frustration and distraction. And there remains a very long way to go. But as first steps go, the alpha trial represents a long and sure-footed one, and one that I very much enjoyed writing about. I hope the white paper manages to convey what I found, and the importance that it holds.
Thank you, Nick, for capturing the results of the alpha trials in the UK and documenting your experience for the OIX community. We often get reactions to published OIX White Papers and Nick’s paper is no exception. My next blog will share a reaction to Nick’s paper.