The Web Payments Interest Group is seeking to reduce fraud for online payments. The challenges include finding ways to support use cases such as securely gaining access to your bank account from your web browser, and installing and activating payment instruments like credit cards into your digital wallet.
There was strong support at the September 2014 W3C workshop on Authentication, hardware tokens and beyond for W3C to extend the Open Web Platform to support strong authentication based upon public key pairs and second factors (e.g. a PIN, a biometric such as a finger print, or a hardware token, possibly a wearable like a smart watch or pendant), drawing upon work by external groups such as the GlobalPlatform, SmartCard Alliance, FIDO Alliance, and SIM Alliance. This would give web sites greater confidence that the user who just logged in is the same person who registered the account by making it much harder to spoof the user’s credentials. This doesn’t address the challenge of tying web identities to real world identities, something essential to the above use cases.
One approach would be for your bank to rely on the PIN it has issued you for your bank card. This is sent to your name and address as a computer generated paper letter that no one other than you gets to see, not even bank officials. This assumes that it is safe for you to type your debit card PIN into your device (e.g. a notebook computer, phone or tablet). The risk is that your device has been subjected to a malware hack that collects your keystrokes. This could be mitigated by the use of trusted UI based upon trusted execution environments. An alternative would be to send you a one time password.
Another approach is for the bank to rely on a trusted third party to vouch for your real world identity. One possibility would be a government issued credential, e.g. national identity card, passport or driving license. Another would be the SIM in your smart phone that is activated by a mobile network operator following a recognised process to verify your identity when setting up a phone contract with you.
You bank would need confirmation of your name and address, and possibly additional attributes. The starting point is when you go online to your bank’s website to gain access to your accounts. You will need to provide some information to allow the bank to link you to your accounts. The bank could then request your browser to set up a web identity using say the FIDO protocols. To verify your real-world identity, the bank would need to ask you to grant access to your government or phone credentials. This could be done in a way that maximises privacy.
Brainstorming some more, we can envisage an intent-based protocol where the bank makes a request setting out which parties it accepts for proving real world identity. Your web browser then asks you for your consent, and in the process enabling you to select between matching alternatives where available. The verification of your real world identity is based upon string comparison of attributes, e.g. your full name and postal address, but potentially others such as your date of birth and so forth. These could be passed by your bank as part of the request. The response could be a digitally signed certificate that the bank can validate. More generally, it could be a zero knowledge proof for simple expressions over attributes of your real world identity. I can also envisage the possibility where you can set up a new bank account online, where the bank requests the attributes of your real-world identity from the trusted third party, again subject to your explicit consent.
This process replaces the general need for pre-provisioned keys by an intent based mechanism for verifying real-world identities, along with the means for registering trusted agents with the browser. The latter isn’t critically dependent upon open standards, although the former is for it to be widely useful.
The bottom line is that W3C should consider chartering a work item on identity verification!