Time to get a grip on mobile identity

When a European wants to buy a soda, he points his phone at a vending machine and a soda might pop out.

Americans can’t do that. Europe’s GSM phones contain a “token” form of identification (www.acm.org/crossroads/xrds7-1/kali.html), which can interface with their account, and an infrared interface, which is supported by the soda machine.

The “token,” in the form of a postage-stamp sized Subscriber Identity Module (SIM) chip, holds an account number and allows for payments, but it’s no more a proof of identity than a credit card number.

Still, it’s very powerful. The Mobile Payment Forum (www.mobilepaymentforum.org), quoting figures from Celent Communications Inc. (www.celent.com), a Boston research and consulting firm, estimates mobile commerce will be worth $50 billion next year.

In October, 2002, when Agere Systems, Proxim and Ericcson said they would integrate 2.5G and 3G cellular systems with 802.11 hot spots, they included support for SIM tokens. The tokens will be removable.

This means account information could be moved from a cellular phone to a PDA or laptop, and purchases made with one device — of either online time or products — would be settled on one account.

This form of mobile identity, however, won’t have profound public safety implications. They won’t prove who you are. They just prove that someone has the ability to pay.

There are several ways to prove identity in a mobile world, the ACM writes (see sidebar).

Most users are familiar with the “challenge identity” verification method.

All large computing vendors, such as IBM, recommend that key databases be protected by strong challenge identification, in the form of firewalls, with encryption (through a Public Key Infrastructure) used to protect the network layer. (www-1.ibm.com/mediumbusiness/sbcuk/bus_solutions/security_toptips.jsp#secure)

The Liberty Alliance specifications, first announced in July (test.webservices.org/index.php/article/articleview/522/1/4/) and updated in January (www.projectliberty.org/press/releases/2002-11-19.html), don’t change the basic security equation.

Instead, they are designed to allow identities, whether created through tokens, challenge and encryption to be shared, either vertically (between vendors), laterally (between vendors and customers) or horizontally (between vendors and credit networks).

A draft for Version 2.0 of that standard will be out this month, said Timo Skytta, a technology manager at Nokia and chair of Liberty’s architecture team.

The final draft will be released by June.

“Release 2 is going to be about services, identity related services,” he said. “It will address how you invoke identity-related services,” including those baCd on location.

Release 1.1, issued in October, clarified the authentication side of identity, so that identity information can be exchanged among companies and computer systems.

What will that mean in terms of services?

“Once the user is in, whether via a WAP or Web connection, it will mean I don’t have to enter the User ID and password. I will get a prompt from the network server to which I just click OK, then I get personalized services.

“From the user point of view it’s just a convenience. From the business point of view the benefit is a standards-based way of doing this, shared by mobile and fixed Internet” services.

The Liberty Alliance, however, is working only on corporate identities (like credit card numbers) linked to marketing identities (purchase data in corporate databases).

The true “Holy Grail” for mobile identity remains a personal identity, something controlled entirely by a user.

Whether that will come in the form of a SIM, a smart card, or a biometric database has yet to be determined. The important point is that it does not exist yet.

Mobile identity, for now, remains proprietary, account-based and transitory.

Mobile identity markers

• Challenge — A username and password on a Web site is a challenge. Answer the challenge correctly, and you may cross.

• Encryption — A personal encryption key, backed by a Personal Key Infrastructure, takes more bandwidth than a challenge system and is at the heart of many token-based systems.

• Biometrics — A fingerprint or retinal scan is a better, truer form of identity, but the files needed are large and complex. You also need client devices to read them.

• Location — GPS identity is vital in public safety applications. This is what Enhanced 911 service is designed to provide, and the continuing delays in its roll-out will remain frustrating.