Thursday, May 20, 2010

I hope mobile identity won’t fail in Finland

Later this year - maybe - there will be mobile identity infrastructure setup to Finland, operators are ready to issue certificates to users and service providers are starting to offer the benefits of this ecosystem to the end users.

This all sounds similar to the situation that was in Finland at late 90’s when PKI (Public Key Infrastructure) was setup with high hopes. Later this system has been documented as a failure. I hope mobile identity project will not become yet another failed technology driven infrastructure project in Finland, but I can see some dark clouds.

User expectations will not be met
During last six months I’ve heard a handful of presentations about the new mobile identification system and all have included an idea that users will love the system because they no longer must remember tens of passwords to access their accounts in numerous systems. Passwords will be replaced by “secure and easy” mobile login. Unfortunately I’m afraid that it will not happen and users will be disappointed. Reason for my doubt is that MobileID transactions will cost for service providers and they can’t see the reason why they should pay for operators for every single login event. Instead of password replacement, MobileID will be used during registration to ensure user’s identity and after registration user will be authenticated with username and password, just like before. Also for special cases like password recovery MobileID can be used, but user who has hoped that passwords will not be required anymore, will feel fooled.

About user expectations: does somebody really think that most of the services will start using MobileID and developers for example in Silicon Valley are just waiting to get their hands-on experiences about MobileID? No, MobileID is a domestic system that will (or will not) be used by domestic solutions. Don’t expect to get rid of passwords anytime soon!

No exact information available
The system should be available next fall, but technical and economical information is not yet available. Operators cowardly refuse to say anything about the cost of joining and using the system, they only agree that using the solution will of course cost something. In Finland the price will most probably compare to Tupas-pricing, that is approx. 0.20€ per request.

Only for individual users with good income
In presentation slides the certificate issuing process looks nice, but that is only the case if you are a person who has signed a direct contract with the operator. If you are a business user and contract is made by your employer, what will happen? Nobody seems to know.

What if you are using a prepaid account and don’t have an agreement with the operator? Nobody seems to know.

Future proof until...?
When personal identification number was launched in Finland nobody was paying much attention to how it was used and stored - after all it’s just your birthday and some additional bytes. That was the case until it was understood that personal identification number identifies person in almost every system and that information can be abused.

Now with MobileID we are no longer talking about personal identification code but about FINUID (Finnish Unique Identifier) that is “just a piece of data that identifies the user, so nothing very confidential and it can be stored in systems everywhere to identify the user” (and also mapped to personal ID). Someday the same happens as with personal identification and the use of FINUID will be strictly governed and hence the use of MobileID authentication will require careful reasoning and so on... So please, don’t come saying that this infrastructure manages “only” FINUIDs that are stored to multiple transactions logs during the identification process.

My humble request for MobileID providers is: please, don’t create a WAP-like expectation gap between the hype and reality, publish pricing information ASAP, make system available for business and prepaid users and be more exact right from the beginning about allowed FINUID handling.