My paper Can We Fix the Security Economics of Federated Authentication? asks how we can deal with a world in which your mobile phone contains your credit cards, your driving license and even your car key. What happens when it gets stolen or infected?
Using one service to authenticate the users of another is an old dream but a terrible tar-pit. Recently it has become a game of pass-the-parcel: your newspaper authenticates you via your social networking site, which wants you to recover lost passwords by email, while your email provider wants to use your mobile phone and your phone company depends on your email account. The certification authorities on which online trust relies are open to coercion by governments – which would like us to use ID cards but are hopeless at making systems work. No-one even wants to answer the phone to help out a customer in distress. But as we move to a world of mobile wallets, in which your phone contains your credit cards and even your driving license, we’ll need a sound foundation that’s resilient to fraud and error, and usable by everyone. Where might this foundation be? I argue that there could be a quite surprising answer.
The paper describes some work I did on sabbatical at Google and will appear next week at the Security Protocols Workshop.
Do you have a reference for for this “Apple vision” you describe in your paper? This is the first I’ve heard of it and I tend to follow Apple quite closely.
In some sense, mobile phones reduce the cost of carrying extra cards to zero. Doesn’t it mean, I will always choose the card that is the cheapest for me? OR, stores can start asking customers to use the Store cards instead of the general credit card (by say offering a 1% discount)?
What I am getting at is that I am not sure if the advantage of being the default card in the mobile wallet case, is comparable to the real wallet case. I can also imagine (although, fat chance of this) that my phone and the vendor negotiate the card to use automatically.
A very interesting post with a lot of useful use case scenarios within it that bring alive the service complexities that arise between different service providers working together.
However I believe the conclusions are seriously flawed by the enduring failure to include the individual as a participant as opposed to a victim in the case of loss of wallet or a beneficiary of the services made available by the electronic wallet provided by a collection of commercially minded people seeking to control the landscape. The reference to the dominate card was very telling in my view. I believe it would be a great document if it had said the following
A personal data store as the integration point and hub for provisioning a mobile phone and credit cards within the wallet contained in the mobile phone would make a lot of the service related complexities fall away. What do I mean? well think about the latency in the reprovisioning process and revocation primarily due to the need for organisations to work together. Imagine a world where people have personal data stores and the mobile phone company provision there service to the PDS as do all the credit card companies. This means the PDS is the repository of authenticated rights to certain services and capabilities, is highly secure and can present a wallet capability to all who need it.
This would also allow an individual to infer those rights or enable a mobile device, phone, ipad or whatever with those rights for the purposes of portability either in a network connected manner or as a stand alone device enabled with NFC.
If a person takes out another credit card it is them who put it on their device, its there choice under their control, many people have more than one credit cards and we don’t always carry all of them with us. Just imagine a night when you go out on the town you only want to take some cash and perhaps one card, you leave the rest of your wallet / handbag at home.
Lets say you have two devices one for work and one for personal use or you are one of those people who swaps devices around depending on what you are doing, it is only natural that you may want your services to exist on multiple authorised devices or enable devices when needed to what ever level you want.
The organisation centric way of thinking is what is killing the solutions being defined.
The unavoidable conclusion is education is central to getting organisations through the stage of realising that their traditional means of control / lock in as they refer to it are in actual fact what is inhibiting take up and evolution of the systems that so desperately need to move forward into the digital age.
Federated authentication does need to exist, clearly, but it is only a component of the emerging ecosystem the central capability of a personal data store under the control of an individual in which they can store their rights, services, assets and evidence is paramount to moving forward. In the world I see provisioning gets faster, cheaper and more secure by it being delivered by a pre authenticated route to a proven personal data store from which the individual chooses how to configure their devices and lives.
This notion of PDS centric provisioning may be the hook needed to demonstrate to mobile phone operators and banks about a faster, lower cost more secure mechanism of managing risk and deliver exceptional service.
My final thought is that mobile phone companies and credit card companies will still have the ability to shut down a device using IMEI number and get it off the network without cocking up a persons provisioned services and credit card companies can disable from the network end credit card and payment systems provisioned against such a device which is an implicit part of the verification the transaction data contains so it will be as secure if not more so as the individual can initiate directly a total lock down of all its services from single request via its pds.
Perhaps biometrics on devices is more important in this world than people realise.
@ Ross,
I think you will find that Douglas Adams had the idea for a universal identity device and the failings attached quite some time before Apple.
Whilst I agree with your last paragraph (governments should be responsible for equitable legislation not ID managment) I’m not sure I agree with the rest.
First of many years ago it was found that electronic wallets had many failings some of which was a holders desire to have information split up for various reasons (the case most quoted was a French Smart card system which was never used in cloths cosmetics or perfume stores).
The underlying reality is people have different roles in life as the norm. You are simply not just Ross J Anderson, you have a number of the normal social roles (ie the usual son / brother / husband / father) employment roles ( employee / employer / manager / budget holder / etc etc) and other personal roles based around hobies and interests.
Now many people don’t realise it but we often tend to segregate roles in order to maintain distance between us and our various other associations via different roles. This is because it is usually easier to maintain roles that are segregated and also for the sake of our privacy and ultimatly our sanity.
I susspect that like many people who travel frequently you have a number of Credit Cards and that you fall into one of two basic types, that is you favour the card that gives you the best deal, or you use the cards to make managing your finances easier.
The latter group will use one card for personal activities one for business activites and possibly one for internet shopping and or emergancies etc.
When push comes to shove few people use password managers and you have to ask why as it would on the face of it make their lives considerably easier. Many don’t simply because they don’t trust them to either keep adequate segregation or be secure from others.
Electronic walets to hold credit card and other information will actually make many peoples lives more difficult and they will actualy shun such systems prefering to trust their own judgment as to which card the use and when.
I for one do not have any combined credit/debit cards because in some cases merchants can set the default to be what is most favourable to them not to the customer. And I for one prefere to be able to manage my card usage such that some times I use a debit card and others a credit card for reasons such as insurance cover etc.
One of the big reasons SSO systems don’t work outside of an organisation is that people just don’t want or trust them (like password managers). Even in corporate environments they have significant failings where people have more than one role within the organisation.
I suspect that the idea of a “one ring controls them all” style phone credential will not prove popular with much of the populous and it will suffer the same fate as other systems such as Mondex in the 1980’s and SET etc, that is it will actually offer less utility than a person already has…
What you’ve stated in your article is true. Note, however, that the substance of the standard in ANSI X9.73-2010 Crytpgraphic Message Syntax ANS-1 and XML solves your problem. We’d be happy to discuss this topic with you.
Why do some people insist on promoting biometrics for portable devices? Biometrics is ONLY secure with an armed and trained guard next to the reader. Fingerprint scanner are crap, eye scanners can be tricked to, face scanners aren’t better, etc.
But next to a trained guard it is hard to hide the fact that you are trying to trying to trick the system to think you are somebody else. And the gun is both a deterrent and to make you nervous so that attackers can be detected more easily.
No biometrics that can be implemented on a phone can be secure enough by itself.
By the way, I do like the idea of a unified wallet system in the phone with multiple issuers for virtual cards. But the phone security system has to be well thought through. Tamper protected hardware us a must, as well process isolation and such.
The Google wallet has just been announced.
Great paper. Thanks for such a lucid explanation of the mobile wallet and for laying out an economically rational process for reprovisioning.