How To Sign Massachusetts Banking Presentation

How to industry sign banking massachusetts presentation mobile

hello my name is Randy Vanderhoff and I'm the executive director of the secure technology Alliance formerly known as the smartcard Alliance I want to let you know that today's webinar is being recorded and it will be available for playback along with the presentation deck after the webinar has concluded also we hope to have time to take questions at the end of today's webinar and so we encourage listeners to submit their questions using their user dashboard on your screen I'll return at the end of the presentation to lead the Q&A effort and I encourage you to submit your questions while the presentations are being heard rather than waiting till the very end that gives us a little bit more time to organize them and get to more questions than we would normally do so we'll start with next slide please so let me introduce the other presenters for today's webinar Tom Lockwood is representing next-gen ID and Tom is a secure technology Alliance board member and a member of the executive committee and is leading the mobile ID landscape assessment effort Tom has extensive national defense public safety and private sector experience Jeff Slagel is serves as the director for the American Association of motor vehicle administrators or Amba and his accomplished identification security standards developer having played instrumental roles in both national international standards activities for over 20 years david celts is director and architect with digital identity at id mia and he is an identity thought leader and the visionary bringing your own identity technology expert as sure as shoot my Karan is a Solutions Architect for digital identity for America's at gemalto and currently managing the digital identity program for the Americas including driver's licenses smart documents and II governance and he has over 17 years of experience in the digital security realm lastly David Cooley represents intercede and David has over 20 years of experience supporting US government technical solutions in mobility and security and currently serves as a senior solution architect for intercede with a focus on strong identity for mobile opportunities so next slide please so for those of you who are not familiar with the secure technology Alliance here's a brief overview so the secure technology Alliance is a not-for-profit multi industry Association working to stimulate the understanding adoption and widespread application of secure solutions and we provide in a collaborative member-driven environment education and information on how smart cards and embedded chip technology and related hardware and software can be adopted across all markets in the United States can we advance the next slide please so that's a pretty broad mission and on the right side of your screen you can see that the principal markets that we are focused on these activities towards includes access control authentication Healthcare Identity Management the Internet of Things mobile payments and transportation and so as a cross industry member supported organization we do the following things to educate and stimulate the market by bringing together stakeholders to effectively collaborate on promoting secure solution technology and addressing industry challenges we publish white papers webinars workshops newsletters and provide additional web content we create conferences and events that focus on these specific markets and technology we provide educational programs training and industry certifications to promote the experts in our field we provide networking opportunities for professionals to share ideas and knowledge and we produce strong industry communications through our public relations web resources and social media activities next slide so shining the spotlight more on the identity Council um it has a specific focus which it is serves as a focal point for the Alliance's identity and identity related efforts leveraging embedded chip technology and privacy and security enhancing software and it supports a spectrum of both physical and logical access use cases form factors attributes and authentication and authorization methods today's topic around mobile identity fits very well in this overall scheme of leveraging embedded chip technology for privacy and security and hansung software so on the right side you see some of the resources that have been published in recent years right by the identity Council and they include white papers on topics such as assurance levels on the Phi cam in architecture and and understanding how that's applied in the federal government identifiers and authentication the choice to protect digital identity identity management and healthcare identity management systems smart cards and privacy interoperable identity credentials for the air transport industry and smart card technology and its relation to the phyto protocol so these are some of the resources that are available we welcome you to visit those sites and review some of the other interesting materials that we've developed on the topic of identity and identity management if you turn to the next slide please so now I'd like to turn the presentation over to Tom Lockwood who's going to provide us with an overview of the problem and the value outcome that we hope to achieve so calm good afternoon everyone thank you very much for joining us today we appreciate your time and attention on this it is an important area for our community how we think about identity is rapidly changing and it's evolving its evolving from a product focus an individual document an individual stand long vertical you know market piece too much more of a horizontal we're moving from that paper and card based media approach to other venues one of those the principle among those are mobile devices so it's critical as we start moving into the world in the time of the secure technology alliance really to look at and embrace mobile devices the approach that we've taken when we look at this problem is it's the wild wild west so no one organization is going to solve the problem and our approach and walking forward onto this is how do we partner with other organizations what we believe when we're done with this is the outcome value for everyone is an enhanced user experience what we want to be able to do is in this process identify and capture some of the best practices we want to be inclusive across this across use cases across market segments but we'd like to be able to do is help stabilize and expand market direction opportunities and again part of this is to create opportunities for integrators for service providers across use cases and again improve overall interoperability and integration and again as we walk through if there's opportunities to raise awareness and recommendations for standards and open standards we would like to be able to do that next slide please so our target audience is again not only the membership that we normally deal with within something like the identity Council but across all of the various councils and other stakeholder organizations other equal partners such as Amba ibi a triple-a e and as we're reaching out to folks there's no one organization that has it all so again part of our challenge is to look at key use cases what communities to identify what their priority use cases are and create a forum that we can collaborate and discuss some key issues as we walk through again we're going to in the process try to keep a very broad overview of mobile identity credentials would like to identify areas of convergence and consistency we'd like to understand inconsistency and approach conflicts gaps again different hardware approaches or software architectures as we're walking through but again what we'd like to capture is some of the best methodologies in the end we believe we can provide educational resources and awareness like today anyone who is using a mobile excuse me a driver's license today really should you know understand the direction that ambu is going as people are looking at mobile devices if you're in the federal market again as we start thinking about derived credentials these two platforms are going to be again where we're looking for in the future possibly even for primary credentials versus mobile concept of a derived credential so again next slide our approach was inclusive we had a general call looking for collaboration with groups we were looking for community leaders and community identified use cases as we look through those some of the key use cases included physical and logical access working with the access control council we looked at the transportation use cases again those members include ten of the largest regional transportation authorities in the u.s. we partnered with triple-a e for the airport use cases the mobile identity credentials that you're going to hear from David Koli and driver's license from from the team working with anthem healthcare banking and retail and colleges and universities so those were the initial use cases that came to the top our process is going to be looking at the security elements human factors privacy technology architectural policy issues again we're trying to keep it at a very high level and then if there's continued support for additional use cases or to go out another level deeper and that will happen after this phase is done so again the goal for this call is to provide overall an assessment and overview of where we're going we would like to get your feedback in reaction to the approach if there's key issues that come up today following the presentation when you have the links and the feedback opportunities please give us your thoughts please give us your feedback again if there's thoughts on how you would like to collaborate that would be wonderful we would encourage you to do so there might be key issues that people would like to talk to some of the use case leaders themselves and we'd be happy to facilitate those discussions so with this I thank you all very much for your time and I'd like to go straight into one of the key use cases and the leader of this is ample so with this I'd like to transfer over to Jeff thank you and if you can go to the next slide please I'd like to start by expressing my gratitude to the secure technology Alliance for the opportunity to share some of the exciting progress that is being made in the area of mobile driver licenses my thanks to Randy for his steady hand on the wheel of the work that the Alliance encompasses and to my good friend and colleague Tom for the great job being done by the Council on mobile identity by way of background for those that don't know what Amba is we are a trade association that represents the Motor Vehicle authorities and state and provincial law enforcement agencies in the US and Canada we work very closely with the US federal government on a number of fronts but primarily those that relate to highway safety and secure identities we also have over a hundred associate members principally from industry and I'm pleased and proud the two of them are joining us today next slide a common question that continues to come up is what exactly is an MDL and what are the differences between MDL s and traditional physical driver licenses like traditional card type credentials MBL's convey your identity they include biographical details associated with your identity that have been vetted and come from a reliable source the MDL is a secure credential that has protection against manipulation and unauthorized changes and last and maybe most importantly the MDL provides for a significant leap in protecting the credential holders privacy by putting control over the Selective release of the information associated with the MDL next slide please Anza has organized its efforts through a joint working group made up of jurisdictional members that serve on the associations card design standard committee and their electronic identity working group they were the ones that came up with the functional requirements for the MDL these are commonly referred to as the what and then the joint working group has been working within the standards community to address the how this will be covered in greater detail by my colleagues David and Suraj the first point we typically make when talking about the MDL is to clarify that the MDL is not simply an image of a driver license or identification card while there is a visual interface for the entity depending on the MDL the mechanics of how information is being shared authenticated and leveraged all lean into tried and tested cryptographic techniques and standards the potential also exists for a bona fide biometric authentication between the holder and the MDL so that relying parties can have significantly higher confidence that the individual is in fact bound to the information that they're using another important point to make is that the initial implementation of the DLS will be done as a supplement to the physical cards and not initially as an option in lieu of we do predict that the MDL solutions will continue to evolve and while the standards help to establish a baseline for functionality the potential for innovation is wide open to the vendors and with that I'd like to turn things over to david celts from oedema if it thank you Jeff so the I wanted to if you can skip to the next slide please I wanted to Jeff mentioned innovation and I think there's innovation in the MDL itself and there's innovation they can have in the marketplace and at the point of service in order for that innovation to take part I think we have to break down and look at what Trust is and how we can how we can bring about trust in the platform and Trust in the NBL s in order to sort of spur that innovation so from each party's perspective there are different factors that are going to contribute to that trust so on the left from what we'd call a relying party side from the the party that's depending on data and user authentication of the NBL from their point of view they need it to be accurate they need to know that when I accept this driver's license I'm accepting it from the person to whom it's intended to be to be held by and they need it to be secure and really reliable hundred percent available they need this assistance to be highly available and so that they can depend on so trust there is about accuracy and being able to depend on it and ensuring that their their data about those customers doesn't leak out and is not propagated so from the good citizens point of view from the NDA holders point of view of the users point of view their primary concerns are really going to be about the protection of their privacy as I use this you know it is my privacy protected do I have the control that Jeff mentioned do I have control over my my identity when I use them and then the other factors are equally important is it accepted everywhere which is a lot of where there's standardisation comes into play and is it convenient to use which is a lot of where the innovation the providers of the technology making it convenient to use there's a lot that goes into how we use physical cards from our pockets today and we trust a lot of those things there's trust in in the the process that creates it in the cart itself we all know what we went through to get it to proofing events and Trust in the security features on the car so there's a lot that's built into the trust in the physical cards and and the ways if you can go to the next slide the ways that we can as technology providers and an ecosystem and as alliances that we can work to provide the trust is to sort of break that down into pieces and I'm looking at the sort of building blocks of how trust can be built there has to be a framework in which all of the parties in the system can can operate and that really covers the legal and compliance legislative obligations so that framework is very important to be put together then we must be accurately provisioning the MDL to the proper holder that's a really key part of this because we we know and accept the processes in the physical cards today and we must look at the accurate provisioning and we must trust those as we go forward then we need to make it really simple to integrate and accept this is part of building that accepted everywhere and rovide really diverse methods of interaction so multiple ways in which the user can use their mobile driver's license and in order to fulfill a use case and fulfill multiple use cases in these spread across lots of different contexts including in-person contexts and really all the way up Suraj will talk a little bit about some of the online contexts and of course that really key piece consumers are not going to use it unless they know that they their privacy is protected we put a very connected version of a very disconnected thing in their hands they have to be able to manage it and they have to feel their privacy is protected so I think we turn over to Suraj at this point is going to talk some about use cases and then I'll come back and talk about some of the breakdowns of trust its Raj thank you David now that we have seen what is in India let us go over some of the use cases for MDL next slide please so the traditional use cases it is given that the MDL should support the existing use cases of regular deals being digital and being electronically verifiable the current usages can be enhanced using an MDL both for the MDL holder and the verifier the traditional use cases for MDL mainly involves identification and proof of age verification some of the identity verification use cases are when you are when a law enforcement officer is requesting for a year to confirm identity and driving privileges or when you are at an airport security point the Check Point the TSA agent is requesting four year deals to confirm identity or it could even be service providers like banks and aminos where you are trying to establish a relationship and they want to see your identity and you are providing the identity document then there is proof of age verification so here this is more of when you are trying to consume age restricted products and you need to prove that you are above 18 or about 21 for instance when you are purchasing alcohol cigarettes or lottery or it could even be when you are accessing age restricted venues like casinos or clubs and you need to show that you are about to anyone by transforming the traditional deal to a digital format on a mobile device there are certain advantages towards establishing trust and data minimization rather than relying on the knowledge of security features of 400-plus deal and ID documents in safe circulation the verifiers can now play their first in digital authentication you rely established mathematical proofs rather than assertions based on physical evidence for verifies the convenience brought forward in establishing distrust is a big leap there are advantages to the credential owners s law the users are in control of their credential and they get to choose what attribute they want to share based on the transaction type with respect to privacy and determination MDL goes far beyond then what is possible with traditional deals no more sharing your home address or even date of birth to a random store owner other than put proving that you're eligible for that particular transaction let's move on to the next slide please eServices so as described in the amber functional specification being a digital credential there are many more usages that we can envision DL is an identity vetted and proved by the state authority to ensure a very high level of assurance in using them for transactions with an MDL the credentials are made available in a digital medium making it convenient for online transactions in the cyber space federal and state agencies can make use of MDL credential as an Authenticator an attribute provided for Eagleman services for instance the DMV's could utilize MDL to identify an authorized a requester before granting access to services like renewing deal or requesting drivers record service providers could use MDL to provide trusted attributes for electronic transactions for instance you're trying to change your address in a bank so instead of I mean giving the physical copy of the driver's license provide your attribute using the NDL and going beyond we could even have proof of transactions made possible using digital signatures with an MDL let's move on to the next slide please going beyond the mobile driver's license can be envisioned as a digital identity platform in an increasingly connected and digital world a digital identity platform can provide identity assurance and attribute assertions for governmental and private agencies it can evolve into a platform addressing the identity needs on the whole digital spectrum mobile devices variables connected devices mobile payment cloud services to name a few it could also be seen as a customer engagement platform bringing the government services closer and easily available to the people in need establishing the digital identity platform and continuously evolving it we could imagine a whole new ecosystem of players connected to it bringing valuable services to the right people with the right level of trust thanks to the identity assurance provided by MDL I'll hand over to David who will talk about some of the challenges of India thanks Raj so looking at the different use cases and the expanded sets of use cases that are possible with this digital connected driver's license the question that comes back to how do we sort of meet the challenges that provide trust in the platform in the ecosystem in the mobile driver's license itself so you can skip to the next slide please we live in a mobile global world and people travel consistently so the contexts in which we currently use the driver's licence it's in our pocket is pretty well-established well known as I said before and there's a lot of trust built up that and there's a lot of agreements that have been built up about the use of that and that has happened regionally as well around the world and there is a model where where the frameworks in which we use and sort of aligned together and standardization especially global standardization is something that can start to drive usage of mobile identities really across all the places where people travel today so I think as we start we'll start on regional levels and the usage will be regional as the physical cards are now but there's a there is a platform for where we can align to global usage of mobile identities we can skip to the next place so with the framework sort of established and frameworks being established for us to operate in then we get to sort of that second challenge of making sure that we provision that our identities to the right person for them to manage and emps aren't really you know they don't want to increase the burden or the authority consumers want to have to go back to the baby so they don't want to increase their in-person burden we have to do things that are more accurate than what we're doing with any with identities on the Internet today we're possession of an email address is sufficient to get yourself an identity since these are really tied to the legal person that'd have to be a lot more accurate than those we have to develop ways in which provisioning can be can be done accurately and done really sort of on demand as as mobile users its back they expect to be all download an app so developing out that accurate provisioning is and knowing that it was provisioned accurately is really critical for for establishing the baseline of Trustee users and what we're doing in that provisioning is to place a citizen manage identity into the hands of the consumers now they have to have as Jeff had said before it's Rob's the complete control over what if their data leaves the device what if their data gets used in the system what they do they share with with the relying parties that they're going to do business with and this citizen managed identity is kind of a key piece to the privacy component and protecting sort of that fifth challenge of of privacy and go ahead to the next stop it so now let's look at some of the other challenges of simplifying the integration for relying parties so now once this driver's license is on the consumers phones they have to be able to utilize it these sort of tap and go transmission use cases or the ability to tap and have the verifier system the relying party system go and request data from the user request data from the issuing authority that the user allows the release these are multiple different models that that we've looked at and in in the work that's being done in a couple of different key groups here so they I so what is known as working group ten the standard is 1801 380 no 13 we're starting to support these sort of diverse methods starting with the transmission and working to other ones but support the diverse methods in which a user can present their driver's license to a relying party and then have it be used and the standards are we're gonna make this really simple standards in the interactions standards in the data models standards in the ways that it can be used really across the globe and in lots of different contexts as well you know open source tools for easy integration or a key part of this and the ability to unlock distance usage and really perhaps even unattended usage so where the system the mobile driver's license itself can challenge the user the relying party can challenge it and user authentication that we see in the online space is used to super then unattended use cases so we'll start to expand the scope of what can be it what can happen and what can be done in an innovative fashion with these with the standards for transmission adoption lookup and user authentication and then just the user being able to share their their information as they choose as we do today with the physical card so you use cases such as signing you know applying for a mortgage these are the things that will unlock being able to use identity everywhere which unlocks you know sort of that key pillar for the users and in how they'll trust the system in addition to problems ok go ahead to the next one cool if you can go ahead to one more slide thank you so to summarize based on their requirements in the feedback received over the past few years the MDL work will continue to reflect an approach that have allows for the holder to decide how much detail they release into who privacy and security have been baked in from the very beginning and the work reflects this and its design while there have been an initial focus on the specific driver privilege the work truly provides a foundation for a much broader impact as David and Suraj have described that touches every aspect of the ongoing and emerging identity ecosystem because of the strong in person proofing that the initial issuance is predicated on with regards to MDL we believe that the MDL can deliver a value that's not seen to date compared to other more common forms of electronic identification I'd like to close if I can with a baseball metaphor maintaining a solid handle on the issuance and the management of the MDL will be critical and the absolute key to success with the MDL work will be the standards however MBL's that are not accepted outside the boundaries of the jurisdictions that issued are going to be a swing and a miss the great work that's being done by industry partners like those supporting the work that David and Suraj were referencing in ISO SC 17 WG ten that work is being teed up for what I believe to be an out of the park home run so appreciate the opportunity to visit on these things and now I'd like to shift gears to another topic derived his credentials and turn things over to David Coley great thank you so much and good afternoon everybody and thank you for joining today I'm going to be talking a little bit about derived personal identity verification credentials in other words strong identity credentials issued to mobile devices or used by federal government employees and contractors we can advance the next slide please before I spend too much time on the derived Pibb probably important to just set the stage and make sure we have a clear understanding on the personal identity verification standard itself or the original give which really serves as a foundation for the issuance and usage of derived potentials so the personal identity verification standard it's actually outlined in federal information processing standards number 201 provides a strong foundation for traditional desktop environment this standard came about really when the need arose to have standard identity proofing processes across the US government instead of the independent processes that were used different departments and agencies and so FIPS 201 really filled the role to standardize this process across government and it provided a smart card that could be used for both physical access and logical access on computing environment again it works very well for traditional desktop environments but when it comes to mobile and as we found a number of other use cases it doesn't necessarily translate all that well so from this really it became obvious a new standard was needed and that became ride him which was actually established in 2014 next slide please so the derived credential itself I mentioned new standard was necessary that standard is the special publication 800-53 a financial Institutes of Standards and Technology this standard builds significantly on fits 201 and in fact provides a framework to issues strong identity credentials for computing environments where traditional Pibb cards or smart cards do not work well notably primarily this is tablets at mobile phones but what we've come to find out over the years since 801 57 was released it also includes things like clean rooms biohazard environments and certain certain users with disabilities across government there's a number of folks who have difficulty manipulating smart cards and for those individuals a derived credential often works much better so I say derived and I've got it in quotes here and I'll touch on that a little bit because I want to make sure that it's real here what's what divides means the focus of 801 57 is very much around the issuance and lifecycle management processes it by that what I mean is it's really very much focused on leveraging the existing proofing that's already been done in order for an employee or contractor to have a pig not requiring the user to go through the same proofing all over again just to get a mobile credential but instead issue that mobile credential based off the fact somebody has a pip and then maintain the ongoing linkage between the PIP and that derived credential so it's important also the stress here there is no mathematical relationship between the pit and the derived pip credential often in cryptography you will hear people talk about derived keys that are very much mathematically related but in this case the relationship really is an administrative relationship between the underlying give on which the new derived mobile credential or derived tip is based next slide please so just want to touch really quickly on the value proposition here for for the government it should be obvious by now certainly is for me the federal government is going mobile actually federal state local all governments are really going mobile mobile but at a federal level this really includes all aspects of the government so it's civilian it's also military and it's very much the intelligence community's as well in fact they've been going mobile for more than two decades now at a high level it's probably obvious to most on the phone you know the benefits here are increased ability to carry out government mission and oftentimes reduce costs as well so doing more in support of government mission and making better use of taxpayer dollars what's also apparent and been happening here is there's been a lot of new business applications that are being deployed so historically email calendar and contacts were really the killer application if you will and then in a lot of cases they continue to be so however it's these new business driven applications line of business apps focus specifically on workforce and getting them away from their test getting them out in the field these types applications are being deployed to make much bigger impact again in support of government mission so that's the high-level value pr p for mobile when we talk about derived TIF credentials this really helps to further government desire to be more mobile and it does so in a number of ways the most obvious here is really the elimination of a smart card reader that the attachments that are used whether they're physically slid onto a phone or tablet or whether they're a wireless reader either way they tend to add cost to the deployment of a mobile solution they also severely impact really the usability you have something that adds substantial bulk or that must be kept charged and kept track of making mobile that much harder to use when you're out in the field and so a derived credential that does not require smart card reader really helps provide a great way to leverage the strongly identity proof credential of a pivot now have something that supports strong authentication document and data signing and data encryption and decryption on the phone and tablets themselves next slide please so when it comes to implementation really deployment of a derived pip solution is really driven through a drive system is a credential management system that can issue these credentials and keep track of them but specifically what it does is it it has a number of different functions to both check and ensure that the users entitled to a derived credential but then also maintain that ongoing administrative linkage traditionally when somebody is looking to get a mobile derived credential they'll actually use a kiosk or some sort of self-service portal where they'll actually insert their piff card into the system and the very first thing that the systems do is check and validate the card and it's expiration making sure that it's valid making sure it came from a legitimate certification authority and that the expiration dates on both the card and the strip it's our current and valid ulema also seek to ensure that the user is entitled to have a card to begin sorry a derived pip to begin with part of the way it does that is by requiring the user to actually show possession and control now they've shown possession by sliding the card into a reader but then it will also prompt the user to type in the pin that's associated with the card and this dos that prove control that the user in fact is the owner of the card because they know the tin at higher assurance level this is also augmented usually with it's a biometric so the user will be asked for a fingerprint that's then compared to something either on the card or that is stored by the issuer the card issuer itself once all of this has been satisfied essentially we now know that the person who is trying to get a drive credential is entitled edy is you know has been identity proofed they already have a pip card so now the system will issue a derived pivot radenso a federal bridge certification Authority at the very least it will be issuing a derived pivot on occasion certificate for those who are familiar with PIP and neglected to say CAC cards as well or similar pivot is typically civilian CAC is the Common Access Card or equivalent ruff-ruff Lee on Department of Defense those cards have multiple certificates they have an authentication certificate a signing certificate and one or more email encryption certificates and so the the derived system will also issue at least an authentication system certificate but very likely assigning and multiple encryption certificates as well now finally after issuing those the system will link the two credentials the derived give credential it's stored on a mobile and the underlying Pibb that was used as the basis for issuance and it will monitor for updates so if the user departs the government or for whatever the reason is no longer entitled to hold a fifth card the system will automatically revoke those those mobile derived credentials as well next slide please so a couple of challenges to note here the first thing is the sips sorry the 801 57 standard has only been around since 2014 so it hasn't yet fully been I guess read and absorbed across government and have a consistent understanding and a lot of agencies that I speak to there's still some questions about really what it means to have a derive credential what the administrative linkages are what the requirements are for ongoing checking against the the original PIP card likewise when it comes to signing and encryption certificates the standard is a little bit light that the guidance that's out there focuses primarily on the derived authentication certificate and and really have limited discussion around the signing and recovered encryption certificates again leading to questions and a little bit of confusion in various parts of government however the biggest challenge ultimately is around consistent consistent usage as a CIO there's really not an easy way to just deploy once and make these credentials available to all enterprise apps the reason for this really comes down to the security design of iOS and of Android your iPhone's and your Android devices some of the security designs that were really necessary to protect information from potentially malicious applications on the phone also limits access to these credentials so as the CIO it's hard to deploy once and make them available if you're an ISD or a third party software development it means that it's difficult and really no standard way to find the PKI credentials these mobile derive credentials and even if you do have access to them then as a developer you've got a code for PKI operations yourself so you have to write the software to do encryption and decryption not necessarily something that that's in your wheelhouse and maybe would be better left left to somebody else so to really move this ecosystem forward there's really a strong need for a standard PKI services lair something that exists today on Windows devices but does not actually exist in iOS and Android next slide please you okay and so the final slide the final thing I want to leave you with is that give her this have followed it at all when it's real one was put out it was meant really to serve dual purposes one is for the federal government with the personal identity verification process for employees but also meant to serve for highest Sharon's corporate environments to use a lot of the same technique that governments use and its benefit from the work that government has done in in really standardizing identity proofing to credential issuance derived pip is really the same thing it should be seen as a model that could be used really well beyond government corporate is is a primary example for this potentially beyond as well in a corporate environment the consideration really ought to be looking at doing derive credentials where you're tying the mobile identities to the corporate identity proofing that you've already done when employees come in they provide I nines driver's licenses passports etc so you're already doing identity proofing if you deployed a derived system you then tie now any mobile identities to the underlying identity proofing that was done when an employee comes it allows for a clear path of revocation of all mobile credentials once an employee separates so the final thing that I want to just leave out there for the entire community both of those who are developing solutions as well as those who are looking to adopt stronger mobile identity solutions you've heard a lot about mobile driver's licenses today I've obviously talked about derived credentials there's a number of other use cases where there's a need to strongly proof identities for mobile credentials it would be good and I guess the question is is there a way to eliminate some of the overlap some some way to take advantage of the strong identity proofing that are being done by organizations like the DMV's that really have a business to do that but find a good way to be able to continue to use those credentials in other situations with that I will pass control back thank you great thank you David Thank You presenters if we go to the next slide please so we have time for a couple of questions and let me start with the first one for for Tom since you led this webinar off how can other people and organizations participate in this discussion about the identity landscape wonderful thank you for asking oh here we've established and take an approach of collaboration we are encouraging people to participate as we're walking through our approach has been to have very simple framing of the use case and some key issues as we walk through we're looking to compare contrast approaches understand where there's some levels of consistency some in some cases legislative or preference choices around what can be shared or what can be architected everyone is welcome please feel free to send me an email and then this way we can we can at least connect and have a discussion on how you might want to participate again I would encourage some of the committee members for example the payment council the mobile council we would very much encourage your participation and what we would love to be able to do is to foster some of the coordination between counsel and counsel on efforts back over with some of the key stakeholders like Amba and Amba's efforts to see if we can again help the success of all of the efforts to better provide an enhance user experience and stabilize and expand the marketplace and the transactions that we did so again please reach out again the council other associations we'd be would be very interested in talking and going forward in collaboration thank you great thanks Tom next question is for sure Asha how do you deal with different mobile operating system platforms and the constant change in mobile hardware for interoperability purposes thank you auntie this is where the standardization and working I mean all the different players working together will help there should be some kind of alignment towards offering a standard way of approaching the security as well as the verification of the credential that you've stored on the phone I believe that I mean the standardization is the first step and after that it will be up to the industry players to define themselves on their know-how on the digital security and the capability of delivering solutions on those platform great thank you sure this next question is open whoever can answer it [Music] our mobile drivers licences Real ID compliant and are there any examples where this has been implemented Randy this is Jeff so really the the people that are going to ultimately have to answer that particular question are the folks at a DHS that are in charge of the Real ID program and determining compliance I can tell you that Amba enjoys a very good relationship with with people there and it has been a topic of conversation my opinion is that in time there's an expectation that any state that is issuing a Real ID compliant physical card and ops to go ahead and start implementing an MDL that they would be recognized for federal ID purposes with the caveat being that DHS has to be the one to make that determination and have to also feel comfortable that the security that is built into the work that's being done with the MD LS is at a minimum at a commiserate level with what's currently done with the physical documents III can tell you from conversations that we've had inside of the larger credential issuing community made up of both authorities that issue the credentials and then the industry that support that almost universally the opinion is that we're going to be able to do things here with MD LS that we've not been able to do you know with physical cards and to really alleviate some of those pain points I think to Suraj threw out a statistic that at any given time there's like four hundred variants with a T of legitimate driver license or non-driver ID cards that are in circulation and that's just here in North America it definitely makes it a tough task for the folks that have to interact with those cards and make decisions on whether or not they're legitimate just based on that you know visual inspection so I the it's a little bit of a drawn-out answer but I think that you will see in time that you know th DHS will likely land on you know going ahead and accepting these for for their purposes but in the end they're the ones that have to be the ones to say that's okay next question for David Kohli you mentioned the need for a PKI services layer for mobile can you elaborate a bit on this and how that might work sure sure the the challenge right now as I think I mentioned was when these credentials are issued usually they're issued to sort of a system key store or they're issued to a or to an MDM key store and sort of by definition of the security environment that automatically locks down what apps on phone to see the credentials in any given location and so one solution to this really is to actually have an app that handles the creation of the private keys and the storage and really does PKI services for other apps on the device so those other apps do not have to actually have access to the private key and thus they don't have to know or code for authentication or encryption or decryption it would simply pass a message via inter-process communications from one app to this app that stores the credential and ask it to do an authentication operation a signing operation or an encryption operation and that's really making it much easier for the whole third-party ecosystem to leverage the credential but not have to figure out how to get access to the sensitive data or do those operations themselves great thank you I'll open this up as an open question whether wants to respond so with physical driver's licenses there are ways that you can verify the authenticity of the license by physical security measures what security measures are proposed for mobile driver's licenses to ensure that they are authentic sure I can start and I think Suraj knows as well I mentioned the when you're exchanging this data we have the ability in the computing systems to performs cryptographic operations that would ensure the integrity of the data and display who the signer of that data is so that you know the relying party would say oh I can see that yes this is exactly the data that was intended and then to be placed you know in the MDL for this holder and then as well I think just the option and the user so that you know that the user is the one who released that data to the relying party so I think a lot in the cryptography here and in the trusted channels to the data is important for establishing that trust yes to actor David answer and the the panelists and the people who are working on the standardization they are moving towards something that is similar to what is used in electronic passports you know signing the data using a private key that is assigned to the issuer so when a verifier all they need is a root certificate that was that can be public and public key that is embedded within the certificate to verify whether their credential is genuine and this is already established thanks to the electronic passport program which already uses this kind of mechanism so that is over you know castle on a mojito we are modeling it somehow in this in similar lines great thank you and I'm sorry that's all the time we have today for questions I want to again thank Tom Lockwood Jeff Slagel David kelp Suraj Sudha Karen and Dave Kohli for their presentation and support for this webinar the webinar was recorded and you will be receiving an email message with a link for the playback and also where you can download the presentation deck and we encourage you to share that information with your friends and colleagues so that as many people as possible have the opportunity to hear this content also you can visit the secure technology Alliance website at [Music] www.911.gov or day