The U.S. Department of Homeland Security (DHS) is funding three smartphone digital identity and privacy projects including mobile device attribute verification, mobile authentication, and physical access control. A total of $2.4 million was awarded to the Kantara Initiative, and these three projects are the first to be launched by the Kantara Identity and Privacy Incubator Program (KIPI).
The three KIPI projects involve Mobile Device Attribute Verification (MDAV) from Lockstep Technologies, Australia; Emergency Responder Authentication System for Mobile Users (ERASMUS) from Gluu Inc, USA; and Derived Credentials and NFC for Physical Access Control from Exponent Inc, USA.
“The basis for each project,” commented Kantara’s executive director, Colin Wallis, “is a unique re-configuration of emerging next generation standards and specifications delivered through mobile devices, like smartphones. The trend of leveraging the ubiquitous mobile device for digital identity solution continues to ramp worldwide. We are seeing a growing interest in incubator programs like KIPI.”
Lockstep’s MDAV uses certificates to ensure secure attributes, attribute sources and devices. Certificates are already used by many security departments to verify users’ mobile devices; but developing an application to deliver the process widens its applicability.
“Potential applications,” says Kantara, “include credentials for first responders, value added mobile driver’s licenses, anonymous proof of age, clinical trial and e-health record confidentiality, electronic travel documentation, and privacy-enhanced national IDs.”
Gluu’s ERASMUS is designed for multiple autonomous organizations who need to share up-to-date information about a person’s identity, skills and authorizations. It is, suggests Kantara, “especially relevant in the emergency responder community, where state, local and federal government organizations need to collaborate both in person and online.”
Noticeably, ERASMUS is also the first implementation of Kantara’s nascent Open Trust Taxonomy for Federation Operators (OTTO) standard.
The Exponent project is the development of smartphone NFC capabilities for physical access control. “The employee uses the phone in the same way as their physical Personal Identity Verification (PIV) Card to access a building,” explains Kantara, “but the phone implementation provides improved convenience as well as options for difficult use cases such as a lost/stolen card or temporary credentials for non-PIV Card holders.”
The MDAV and Exponent projects will improve smartphone authentication options that are already being used by some companies — in essence, they will make such authentication easier, better and more accessible to security teams.
ERASMUS is a little different in that it delivers federated identity suitable for multiple organizations. In some ways, it is a poor man’s NSTIC, the Obama initiated National Strategy for Trusted Identities in Cyberspace, designed to develop an identity ecosystem suitable for everyone, throughout the US.
One possible outcome of multiple identity/authentication projects is a fragmentation of the problem when all effort should be concentrated on a global solution such as NSTIC (or an alternative such as Identity 3). Kantara’s Wallis doesn’t accept this. “We do have various solutions in use but I don’t believe fragmentation is a problem per se,” he told SecurityWeek. “How else is progress made? Solutions are developed and tested. They go through their lifecycle and improvement updates are made until one is adopted. We are seeing that process with these three authentication projects.”
But there does remain one issue. Not all security practitioners feel able to adopt smartphone-based authentication solutions because not all users have smartphones. This is particularly relevant for blue-collar industries and some multi-nationals. “There’s no way around it,” said Wallis. You need a smartphone for the advanced authentication we are talking about here.” But, he adds, “Various analysts report that by 2020 there will be six billion smartphones in use. So, the problem of smartphone availability could solve itself. In the meantime, alternative authentication approaches to smartphones to consider include SMS, and voice authentication.”
