Different IDP Business Model

Session topic: A Different IdP Business Model (W1I)

Convener: Pasi Lindholm

Notes-taker(s): Antti Tapio

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Pasi gave a presentation about a different business model for IdP that has been tested by NorthID in Finland. The slides are attached.

In Finland (and in general in most European countries) you have strong authentication tokens given to you by either banks or government entities and services can use them by making an agreement with the issuer.

People do not want to pay for (strong) authentication only. Users want more.

The total turnover of the whole strong authentication market in Finland is about 5 million euros / year and that is divided between at least 8 banks. The price of one strong authentication transaction is falling and currently is around 10 cents. When you have a mature strong authentication market, strong auth becomes a commodity. The business is in the value added services. On the Internet it is easy to meet strangers, but how can you trust them? There are not many person-to-person solutions to the challenge. NorthID developed an OnlineID that you could attach to your online car ad and that had a yearly fee.

NorthID asked what the users would want and they said that they would like to have their verified data from different registers so that they could show their data to other people use it for communicating with for example banking, healtcare and insurance companies. So as a first step NorthID made it possible to send the card via email and began discussing with the potential data source registers.

Discussion about the perceived value of the card

NorthID did not do scientific research about whether the sellers of cars got a better value out of their cars compared to other sellers or not Discussion about how the question about sending our id via email actually was understood by the users

Trials with Google Wave and Facebook

You could attach your NorthID OnlineID to Facebook and use it in Google Wave Pasi got on to the Finnish national TV morning show because it was something so different, new and interresting

Many possible registries:

population center, drivers licenses, photos, credit ratings, student status, business/company data,

In general turning around the basic model that someone demands a permission to get your data from the register via a background channel into a situation that you can yourself have the data from the registers to yourself in a form that you can then give to the requestors (in other words you can display your data in a form that the recipient can trust it).

Discussion about the model:

Similarities to the NSTIC model as in the IdPs store pointers to your data in the registers. Privacy issues and “freshness” issues if you start storing the actual data.

Discussion about issues with to whom can the registers display and transmit data to:

Drivers licenses are public records in many US states. You might not even need any kind of agreement with the DMVs. How can you then identify a good IdP from a bad one and how can you establish trust

To whom can the US government give your passport data? Registers differ in data quality and regulations / rules