In an earlier blog post I raised the concern that the expectations of the identity and security community as to how high assurance credentials will be provided to end users is driven from a technology perspective and not a lifestyle perspective. This blog post explores how, or even if, high assurance credentials can be made part of the day to day fabric of our online lives, and who are best suited to do so.
As I continue to peel back the covers on what it will take to successfully deploy and sustain any type of operational federation environment that seeks to deliver public sector services to end users, I get less worried about the bits-n-bytes and more concerned about making sure that the user/client/customer is at the center of it all.
In order to make strong credentials a part of the user's lifestyle, there are two questions I would ask:
- What portions of the private sector touch the majority of the population, and have rigorous identity requirements for opening an "account"?
- In any of the sectors identified in (1), are the end users intrinsically motivated to protect the "account"?
To me, the answer to the first question comes down to:
- Education Sector
- Financial Sector
- Telecommunications Sector
Applying the second question to these sectors is even more interesting. Education is a pervasive touch point and while the institutions themselves are concerned about protecting the accounts, I don't have much data on if the consequences of compromised accounts are motivating enough for users to be pro-actively protecting their account (Would be interested in data on this).
As to the Telcom sector, the consequences are higher, but the results of the Mobile (In)Security Survey as reported by Dark Reading are not encouraging:
... more than half of smartphone and tablet users say they don't bother with authentication on those devices. Convenience is the main driver, of course: two-thirds of them leave applications logged in if they can ...Mobile (In)Security Survey
Which brings us to the Financial Sector. On the provider side, investment in identity based compliance a.k.a Customer Due Diligence (CDD) which covers the gamut of Know-Your-Customer (KYC), Anti-Money-Laundering (AML) and Anti-Terrorist-Financing (ATF) regulations is extensive.
On the consumer side, have you noticed that no-one just leaves their credit card or debit card and its PIN just lying around? They are also not careless or negligent about keeping track of the credentials used to access their online bank account. Everyone cares about protecting their bank account.
To me, the financial sector is, potentially, the most natural source of credential service providers for consumers in the U.S. And, as I've said before in "FFIEC and NIST Authentication Guidance. Does a Token Venn Diagram Exist?", the policy barriers are not ... hard to overcome.
Having said that, I am neither the first nor the last person to have thought so. Looks like I have some learning to do ... Would be very interested in the thoughts of people who are knowledgeable about this topic.
- Does Public Sector Identity Federation have a Compelling Gain-to-Pain Ratio?
- FFIEC and NIST Authentication Guidance. Does a Token Venn Diagram Exist?
- No Passwords, PINs For Most Smartphone And Tablet Users
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.