About the very simple question of identity, security and privacy in Web Payment

w3c web Payment_small.jpg

Again, about the W3C Web Payment Workshop in Paris. Two weeks ago, discussion went on the definition of payment, the notion of user experience, the architecture of back end systems and the end to end picture. The main objective for such workshop was to identify web related topics on which all parties (merchants, banks, payment schemes, regulating government, payment service processors, ….) would agree to get more standard. This will take time as I already mentionned in a previous post. The conversation was structured, but it happened that for each of the scheduled sessions, after one hour of talk, the questions related to identity, security was systematically raised. How can you garantee that the payee is the one he pretends to be ? How can you you garantee that the money is safely transferred, stored ?  As moderator of the Identity, Security and Privacy, I felt like my panel would be an interesting piece of the workshop.

Throwing the question ‘how can you garantee your system is secure ?’ is a little bit unfair.  Obviously, no one can garantee a system to be 100% secure (at a certain point of time, someone will break it), so you have to think about risk evaluation, tools to help implementing security, indicators to monitor trust… And this is what the poeple from the panel shared : good practices, feedbacks and valuable advices to build a common solution to bring with payment some notion of identity, security and privacy. Here is my take away from the discussions.

Identity, what is it ? With Louise from British Computer Science and Tim from Microsoft, we explored the notion of identity with two different perspective. Tim, involved in the e-commerce platform of Microsoft shared with the participants a notion of commerce identity, that would encompass our usual personal information, but also our friend, our relatives, our payment means, our interactions, our reputation. The idea suggested here was to build one identity, based on the principle of aggregating our identities and make it available to services providers via APIs. The direct consumers of this meta-identity could be banks, merchants, but also anti fraud banking system,  government, locally or international. Obviously the question of user control and privacy was raised. And this is where Louise made a great speech about the way identity, privacy, anonymity, traceability were major topics that companies, citizen and regulation should take care of. The rationale for this special care was the coming explosion of peer to peer financial transaction enabled by the web. This use case would multiply the needs to protect peers, regulates fraud and balance privacy aspects.

Identity, who should manage it ? Several participants gave a view on that notion of handling identity. Natasha Rooney, from GSMA mentioned in her  contribution that they had a program named GSMA Mobile Connect, which would allow service providers to use mobile network operators users database and trust the identify of those users. This offer completed with a strategy of direct billing on subscribers bills would position them as ideal identity providers in mobile commerce. Another view, Ripple Labs, the ones maintaining Ripple Network, mentioned that identity should be managed in a decentralized way. What does it mean ? Ripple Network is a network payment solution, which relies on a network of Ripple Gateways. Those gateways are disseminated all around the world, and this is where each user willing to transfer money should register, providing with email and banking details. Choosing a gateway suiting his constraints in terms of currency, transaction operation … Each Ripple Gateway implements the Ripple Transaction Protocol which allows to transfer money from any currency from one user to another, provided that this one owns a Ripple Wallet. In that case, identity is managed by registering to Gateways. The case of Facebook and Google managing the user’s identity was not directly discussed but raised on a regular basis. One could conclude that several identity provider profiles could be defined, from traditional kinda official (MNO) to decentralized email based (Ripple network).

Identity, how to convey it ? Lets say you are an identity provider. You need to offer services to consume your user’s identity to service providers. The next questions you would have to answer would be : which protocol should support exchange of identity related information? which piece of the identity should be shared ? how to make sure that the user agrees with sharing his identity ? Most of the presenters mentioned the recently published Open ID Connect as the technology that makes the job. First, it relies on the recent version of OAuth, an authorization protocol that Hannes Tschofenif, co-chair or IETF OAuth WG exposed to the audience. Hannes concluded saying that OAuth was a good enabler for identity scheme, provided that security recommendations were implemented and that proprietary plug-in were not killing the interoperable nature of it. Second, Open ID Connect includes an flexible authentication mechanism (how do you make sure the user authorizing access is the right user). Stefan from Ripple Labs confirmed, adding that Ripple Network was using it, allowing a good granularity in rights and flexibility in user authentication. Ripple made password and game with cryptography, but one could imagine to have the FIDO Alliance UAF technology used for such authentication.

Payment, identity and security, what promise ? About the actual enablers for security in web payment, we heard several voices promoting different types of perspectives. On the device side, Giri from Qualcom said that mobile payment security scheme could get benefit of user’s contextual information, combined with trusted enablers, listing technologies the web payment could benefit from : geolocalization, multiple factor authentication, hardware token and fingerprinting. On the protocol side, Hannes recalled the audience that state of the art in security as promoted in IETF should be implemented to avoid failure. There was a consensus on the fact that cryptography was a great enablers of trust and security (trusting someone could be translated as sharing a cryptography secret with him). This is what Harry Halpin from W3C promoted the recent Web Crypto API (that my readers all know went to Last Call last week). This API will allow developers to manage and use keys in their web applications. Last but not least, Gregory from Lyra Network among other good feedbacks for promoting a decentralized web traffic to increase trust, reminded that users were to be educated in order to have a better control on their identity data and data in general. He also highlighted the idea of building identity of users on multiple devices, including the ones belonging to the wearable IoT wave, feeding the *what you have* factor to authenticate users.

This session did not bring any direct conclusion on the complex problem of identity, security and privacy, but drove the audience on different perspectives. The excellent minutes and presentations from that session are available on http://www.w3.org/2013/10/payments/minutes/2014-03-25-s6/ . All the web community is now waiting for the W3C report on that workshop, which will sum up and prioritize the possible actions that could happen in W3C.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s