Session at the European Identity & Cloud Conference 2013
May 15, 2013 15:00
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 15, 2013 15:00
Session at the European Identity & Cloud Conference 2013
May 15, 2013 15:00
Okay yet another telco. So we all got our ideas on how to support people in this, in this increasingly digitizing world.
Of course, we need to find our role as well. You know how to run cables so far. That's okay. Drivers. And there's another role of course, that that S want to have. And the one that I'm mainly involved in since a few years is around payment. That's what people think I think is much more. I actually think it's the same that I did before. I started doing payment. That was identity management. And this is exactly what I want to discuss with you here. This is the idea, turning the wallet into something that helps people organizing digital life in terms of their, their identities.
Identities is very important to me. I don't think that there is anyone who knows even his own identity well enough to claim that there is only one. I know nothing about my early years, totally wiped out my relatives, keep talking about it, about things I purposely have done.
They, they say, so there's all ways a difference between what others know about you, what data they thought about you and what you are aware of. Even communication theory.
You know, this, there is a big, big amount of information that people have about you, which you are not aware of. And that's the same in our industry. That's the same with all the services you're using. If you are a customer of a bank, you have a right to know what they have stored about you. That's regulated, that's fine. Still they have risk ratings and other stuff. There's a lot of technology that they're using. You don't want to know about. You don't want to know how we configure the routers in our networks to make, to, to make your service as good as it can be.
There's a lot of stuff that is related to our customer relationship, but which can only be reasonably understood by the ones who run this business, not even by the ones who are affected by it, not even by the customers. That's the nature of many of the customer relationships and what the wallet in my eyes is. And this is why I want to propose it here for the life management context is it is representing the customer relationship, nothing more than that.
Giving a reference to an existing relationship to someone who might have information about me, someone who has offered to me to deliver services to me and these services should only be delivered when I say yes, it's okay, because it's my money. For example, that it's to be paid for it. Authorizations, for example, that's something that wallets could also do in the future. It's very little about technologies. And if C the nearfield communication is a hype, which has brought the wallet idea to the attention of so many people of our management too. So we are able to work on it.
But the architecture that we as telecom laboratories, where I come from in Berlin are working on is exactly doing much, much more than that. But we have learned, we have learned from the payment industry a lot, they have regulation. They have processes in place that key data pretty much in sight. The payment industry is very much aware of the power of information leakage. There are a few cases from time to time, but we have a big struggle. For example, explaining them.
We think that when a wallet gets used for a payment process would be a good idea to tell the people how much they pay in the end. Oh no, no way, no information that will ever let out. They're softening up a little and the idea to make it more user centric. And so if the user wants it, wouldn't you be able to deliver it. For example, through an open interface, these kind of discussions have taught us. There are already parts of industries that are very much aware of how to fence in identity information, critical information, and exactly this fencing in is what we also think of one approach.
A card based approach can very much help our support. I think I should have the right to own as many customer relationships with the same company as I want. I could open up lots of bank accounts. Unfortunately, there is so much regulation about it that would discover that it's always me, but why not? Could I buy five tickets and use them for public transport? And nobody knows that I have five tickets all at the same time, or I give away the tickets to someone else. It's a simple entitlement, which doesn't really require personalization, but in the plain form of that.
So, so this is what a wallet should accomplish. It should accomplish to communicate entitlements, maybe even transfers through all kinds of technologies. So that's what you see on top of the slide to code or barcode or NFC. We have built a brow, a browser connection. For example, I want so to enable a ticket being used online can show you something like that on, on the upcoming slides.
So my, the task that I assigned people in my team to was explain me how we can do online transactions with the wallet. I think that's actually more future talk than the NFC part. And C is more like where we placing things. Okay. There's a lot of power in it. If you finally get it done, but it really will take a long time to establish itself. And there is so much new stuff happening in the E and M commerce arena. So why not go there with the volume as well? And what we did is we introduced the cup card that's for a very practical implementation at trial that's running currently.
And that cloud card could be used at one page. So I have a virtual card. I can use it referring back to the slide here. I will not do that more than once, but referring back to that slide, there is security possible hardware security. So you can have your crypto or whatever to, to, to make security for log higher than you ever could, but you don't have to could be a very simple process. For example, it could be that the user simply stores use an in password. We all know these type of stores.
It's not the beautiful way that identity management experts imagine the world to develop into, but it's a practical approach and that's happening. And it's something that a wallet could definitely support. You create your own club card by simply providing user name, password, and then having it stored in your wallet, in your private device, security, it's nothing different from your password store application that you might be using.
Moreover, of course, there are open protocols you could be using for this, which would make things even easier and more secure. And we hope that for example, this wallet approach could teach the services to start accepting such protocols in replacement of user and password, which are inherently not so much secure. The fine thing is it's a beautiful virtual digital object.
You are showing your appreciation for the customer because you're giving them something like a customer card that has worked for quite a few years in the real world, until the wallet's got so thick that nobody wanted to accept any more of these plastic cards, but if they are virtualized and you can have hundreds of them in a wallet, that shouldn't be a problem anymore. And if it can be under fed with security, with cryptography, even the better. So that's what we have in our framework. And what more is there? We are not only talking about mobile phones.
We have quickly understood after we got into this, that it's really a paradigm we're talking about. It's what I'm talking about here. It's not the mobile phone that has everything for you, and it's replacing your letter bullet wherever you go, because that would even be not enough pragmatic, practical for many situations, you would want to have all your passwords that they live in on the PC still, or on your pad. These devices might not have a SIM card. So for everyone else in the techo industry here, there might even be a secure element provided by someone else. Who's not a telco.
And we will probably in the end be happy that they have, because these SIM cards are darn expensive. And the space, once we are successful will be filled within a few months, basically if a user really wants to use all these services. So we'd be probably happy to find someone else who has some more secure elements based available, but that's for COE for the future. But that's what we are talking about here.
I think so on one hand side SIM card, secure elements, there is a TPM, perhaps on your notebook, some other hardware security element you could be using, it works pretty much different from the secure elements in SIM cards and, and some of the mobile devices, but still who cares. If there were presentation can be unified with a virtual card and handling of virtual cards can be left to those who understand how to translate things. In many cases, many cases, you will have to relate back to the issuer of a service and say, well, I got something new for you.
I could turn your credit card into a credit card that works on a PC. We have the technology available, but it's different. It's not the, the same thing that you had on your smart card, but it's as secure. And we can let it look for the end user exactly the same. And it works on the PC. That's a beautiful proposition. And to the business side, I think there is a lot of potential to everyone involved in it, to those who can provide the security on this kind of devices, to the platforms, of course, who should run the wallet services for synchronization and so on.
And of course also for those who put their stuff on the wallet, so a bank whose card can be used on a PC and is as secure as a real plastic card, or maybe even more for a service who has not been able to provide anything better than you user name password now gets something that is based on crypto and can reduce abuse and, and identities theft. And so, so lots of things that we think will turn out to be benefits, practical use case. I didn't bring the demo with me because that's one of the big problems with mobile wallets. They are so small, no fun presenting them to many people.
I have a few screenshots here. This is what's actually running in Hamburg with the hamburger Spotify. It's just like 30 people who are using it. But what we did with them is we provided them with a NFC based wallet, ticketing thing together with an access management company, ski data, one of the world's biggest company and turn styles and access control machinery. I didn't know that, but you learn in this business every year that there are other industries that are really, really important and big. And that's an interesting, everybody looks onto these virtualized tickets and it's fine.
They are working no big surprise to technology guys. What we were able to kind of squeeze into this demo is how you get the ticket. You fire up the browser on your Android phone, and which is the only platform we are supporting today. You fire up the browser and the browser detects that you have something like the wallet on your phone, and therefore it offers you to use the wallet for login. It's not so complicated to do. You could do that on every platform, basically in this case, it's an intent and works freely so you can use wallet.
And if you do so, if you, if you say yes, I want to do it. Then you have to have the club card in the first place. And this is the process to you are locked in. And because you are locked in, you are eligible to do receiver club card, a virtual card. So you say to your issuer, I wanted to make it really sure in other typing of your username password. And in the end, it says, you going get your club card and the club card will be available in your phone. It will be available on your wallet in between. There's a step to push the information onto you, where we use the standard mechanisms.
So we would use them on every device, whatever kind of push notification or handling of such things is handled. You receive this card and card is available for, for the use for immediate login, whether you make it immediate, just present the card, or whether you ask for a pin. That's a policy question. That's not a technology question. That's not so hard to do. I think we all know how to do that. So thinking about these, these opportunities and ther, I started to, to think about the life management essence and is appeared to me that we, it services data or devices.
They all need to handle some kind of entitlements. Either you are allowed to use it, or they need, for example, personalization. This is something you could do perfectly with the card based paradigm. It cuts through all different kinds of services and devices. So that's something that really could help you to control your life.
You can only use your home control if you provide the right credentials, how you do that, whether you want to do an NFC tech or whether it's okay to have it just in your wifi area, or maybe there's another technology coming up that that kind keeps the distance within five meter meters of your home or whatever, doesn't matter. It's the paradigm that kind that comes. I am the one with the key to this device point what's also important is the customer relationship behind it. We don't think that a good crypto good security is enough. Basically.
We want to keep the relationships that he was just half. We want to have these different identities that are managed, kept separate from each other because I, as a user, want to have that right to have multiple contracts with different companies. And I might decide to use one in one instance, and one in the other, we all know this already from business and private use certain instances and should be all right. We could support with this delegation. That's a very interesting thing. Whenever people think about, oh, I use biometry for my house door and then start having a cleaning woman.
And the cleaning woman gets sick and they want to send in someone else. And then there is the, the kids that, that sick and, and, and grandmas coming, and they don't have the right biometrics. They're not allowed. You should have something that you can see onto someone else. A virtual card could be handled like that. However you implement it. And still we know many ways of automating the usage of these virtual cards. So it doesn't have to buck people all of the time that I have to kind of weed out the right cards. We can automat lots of things.
We could even use them automatically without you ever getting involved. As long as there is this moment where this entitlement is used, and you have a history, at least a history where you can see, oh, somebody used my entitlement to open my door. Was that me? Or was it someone else? Was it an automatic thing that I need to change?
Because I definitely didn't want to have that hindsight is a very, very important aspect of transparency in our eyes, because we all need to be quick and automatic have want to have automatic experiences that are smooth and seamless that come at a price and transparency should definitely be made available in this context. So that's what I would like to offer to this group and to the course of live management There Yet another conference concept in a minute, any immediate questions.
So here, the life management platform is the management of the credentials. Entitlements Entitlements. First you can remember is Microsoft card space. And it sounds about right. So how is your technology? How is your current time based When cart space started? We definitely got into it quickly.
So yeah, I'm looking forward to see here at the conference. So we, we collaborated for years.
However, here we are not talking about the technology behind it. The paradigm is what really fascinated us and where we learned that when we, as operators put in the hardware security part, that everybody expects in the wallet, when we put in the NFC based communication, which otherwise is a problem to establish in a secure benefit, we can make this card paradigm even more powerful underneath. We have exchanged almost everything in terms of technology. There are modern things that work much easier and the whole info card architecture can still be used, but that's old.
So we learned from it, we adopted it. We are much more flexible behind the third phase, but we are deeply influenced by the ideas. I guess one, this program has only worked on windows and your technology Android, Hold on. But this is the NFC restriction for the table.
Right, right. Because there's no NFC on that. So we are in the course of implementing that five based wallet. So we are also involved for example, in Mozilla Firefox OS development. Cause we want to make these things available quickly on multiple platforms. There is nothing speaking against having an available on the windows, eight devices and on iPhone as an, as an app, if they allowed it would be possible to have the low security objects in, it would also be possible. We just don't have that's already there. Right? Yeah. They have a pretty similar thing. That's right.
For a low, low level thing. For whatever reason, board tickets to airplanes are low security items. I never understood that. There's so much stuff that's really definitely less in need of it. I think there was one more question.
I, I have out of curiosity, how much have you learned from what they did in Japan in the middle of the 2000 from Domo and, and Southbank. And so when I used to live there, this already existed and this is seven years ago. So how can I tell that? How much have you learned?
Well, I'm used curious. I'm pretty sure that the telcos in Europe have spent a three figure million number in Analyst and consultants. That's one thing I could say, no, they didn't spend on us. So they never got right to the point only consultants, other Analyst. I don't know.
One, one big thing here. The difference you might have noticed is we are, multi-tenant based. It's not the one identity that one operator knows about you, which is then used for several different services that would create the big data, the big data on the big brother thread. In a way we have a multi-tenancy approach here. We would allow a bank to issue something to that wallet in the wallet. We would not be able to even recognize you are using a virtual credit card. You wouldn't even know about the use via NFC, because we have no control over that. You could use it 10 times or never at all.
We, as an operator wouldn't know that, and this is the kind of philosophy we try to keep through all the other implementation areas.