The combination of these tamper-resistant chips, wireless communications, biometric authentication and cryptographic technologies that already exist are more than adequate to deliver a 21st-century infrastructure with all of these desired characteristics. One can easily envisage, to give the obvious example, a national identity scheme that uses biometric identification purely for the purposes of uniqueness together with a mobile phone-based secure element to store keys (with biometric authentication now about to enter the mass market as signalled by Apple’s authentication of Authentec).
None of these technologies have to be perfect in order to function together in a properly-designed system that can tolerate imperfection: so, if the tamper-resistant chip is counterfeited that should not mean that a biometric database entry can be duplicated (in other words, counterfeit cards should not mean counterfeit identities) and, similarly, if the database is compromised so that the biometric record can be altered that should not mean that the on-card biometrics are changed.
Chips, mobiles and biometrics can do things that cardboard cannot. They do not need us to trade off security and privacy in a balance. Developing narrative based on a forward-looking (and exciting) vision for identity leads to an eminently practical solution that delivers the apparently contradictory result of more security and more privacy, using those existing technologies in an open and extensible way, allowing a new identity ecosystem to grow and flourish. The frameworks for these ecosystems are developing as well as the technologies, although they have not yet converged. We can see what I call an 'Atlantic' model developing through NSTIC in the USA and IDA in the UK. There is a Scandinavian model based on zero-liability bank identities for government and private sector services as well as a European model that uses government-issued identities for access to public and private services. I tend to think that the ‘mixed’ Atlantic model where the government sets a framework but both private and public sector provide identities and attribute services looks like a reasonable implementation.
Essential to this practical implementation is the smart identity device that uses the principles discussed above. This may be a card, tablet or something else in the future but for any reasonable timescale for strategic planning today, I think it will almost certainly be the mobile phone that serves (as Tony Fish says) as a sort of remote control for identity in the cloud. In day-to-day use, in the overwhelming majority of cases where someone will be using their ID, it will not be to show who they are, but rather to prove something about themselves: they are entitled to be in the UK, use the local leisure centre or read a particular e-mail.
The ‘default identity’ that most consumers will select via their mobile phone will probably be one from their mobile operator that discloses nothing except perhaps whether the holder is over 18 or not.
The mobile remote control ID can disclose the relevant credentials with no need to access a central database or with the unwarranted disclosure of other credentials — using well-known and wellunderstood cryptographic techniques — and this is what will make it the 21st century ID.
About David Birch
David G.W. Birch is a Director of Consult Hyperion, where he provides specialist cons ultancy support to clients around the world, including all of the leading payment brands , major telecommunications providers, government bodies and international organisations, including the OECD. Consult Hyperion helps organisations around the world to exploit new technology for secure electronic transaction services from mobile payments and 'chip-and -PIN' to contactless ticketing and smart identity cards.