Saturday 27 August 2011

Identity assurance: my cunning plan

A brilliant idea came to me today. It’s so brilliant I can’t believe that it’s not happening already. Devishly simple. Clever. Works with current technologies. And cheap. Oh yes, and pretty convenient too.

What am I going on about?

Well, my brilliant idea came as I was reading today’s article in The Telegraph about the problems faced by the banking industry as they try to authenticate customers who want to deal with them on-line. Rosie Murray-West was writing about two-factor authentication - which prevents people from logging in to someone's online banking without physically acquiring their card reader and knowing their personal information. She reported that HSBC is the latest bank to introduce a security keypad for its online customers, saying the device is invaluable in the fight against banking fraud.

According to Rosie: “The Payments Council, which speaks for banks and building societies on this issue, is a supporter of two-factor authentication, while banks that have introduced it say that it has drastically reduced fraud. Barclays, for example, reckons that online fraud has decreased by 90pc since the card readers were introduced.” However, not all of the banks are adopting card readers, and she quoted Matthew Timms, from Santander, who explaining that they had tried to avoid giving customers a secure key because they "don't find it engaging".

Here’s my brilliant idea. Get ready. Hold onto your seats.

If customers currently don’t find a card reader engaging, perhaps they would find it an awful lot more engaging if the same card enabled the user to access on-line services offered by a number of suppliers. If the card reader is good enough for a bank, surely that same card reader would be good enough for a range of other organisations, too. Like Tesco, Waitrose, mobile phone providers, gmail, Paypal and even my utility providers. Most of us have accounts with these institutions, and it would be brilliant if their security teams might get together and create some common identity assurance strategy.

Wouldn’t it be wonderful to have a single dashboard which enabled us to decide which service providers we wished to be linked with a common authentication system? And it could remain a 2 factor authentication system – my user name for Tesco need not be the same as my user name for the mobile phone provider – but if they were paired with the same card reader, then I’m sure I would be much more inclined to carry that card around with me than if it only worked with a single provider.

Or the “card reader” could be a registered mobile phone, which received a text message containing a special PIN code that I needed to use with my user name, whatever that is for the particular service.

Brilliant idea, isn’t it !

Here’s the hard part, though. I can dream about this stuff, but I don’t really have the skills to develop it, or to deliver it. If there is anyone out there who is good at developing and delivering, then please let me know. You can keep (most of) the millions to be made from monetising the idea, I’ll be happy with a peerage. Or a knighthood.

But where do we go from here?

Answers on an email, to the usual address, please.

And no more emails about you being an associate of a former dictator with access to huge amounts of money, and all you need is my bank details to make my dreams come true.

My new mission in life is to free the world from data protection drudgery, and I’m sure that this would be a useful step in the right direction.