2021-11-03 Meeting notes

Noreen Whysel 

draft under discussion

Noreen draft for input  FIREWG Nov 2.doc: https://1drv.ms/w/s!Amw09CA5GCgjiFm-rVAV1mdvTjUo

                    Design an interoperable, user centric, standards based                          

                                   mobile and distributed trust framework

First, must develop for end-users a core educational and user-centered[NW1] program that will encourage adoption while understanding risk and the importance building trust, managing privacy and practicing good security

 
Starting point - The internet's perimeter is where trust is developed

Core attributes: Trust and Security used to manage risk

Requires: Education, Understanding, learning about policies

Tools to build Trust: Identity Validation and Authentication

Identity proofing and biometrics

Internet connectivity: smartphone, devices and apps

Tools enable:

Access controls for governments, corporations; Friends[NW2] [NW3] [NW4] , family, caregivers, guardians and you

• • • • Privacy- user managed access
      • Reputation - relationship management
      • Content-Data Management: controlled and
      • Sectors:  Education, Transportation, Financial, Healthcare Retail, Online, Social and others
      • Audit trails

Distributed Trust Platform and Registers:  Relying Parties

• • • To be developed later

Brainstorm platforms

• mDL
• EHR
• Passport
• Insurance card (medical, pharmacy)
• Medicaid/Medicare
• Credit Cards
• Loyalty Card programs (retail, Disney bracelet, cruise cash, hotels, Campus One Card)
• SIM card on mobile device
• Local eID (eg, NYCID)

What other technology might hold/validate identity?

• Thumbdrive UBIKey
• Digital Wallet
• Library Card
• Fishing license
• Gun license
• Personal assistants (Alexa, Siri, etc)

 [NW1]User-friendly typically means usable. I think we are suggesting “user-centered” which means focused on the benefits to users"

 [NW2]How so for friends? What control are we suggesting for friends? Or is it to identity someone as a friend using social media type attributes?

 [NW3]We might also need a group for work colleagues. I often use shared accounts for work and community organizations where we get tripped up by 2FA because I need to wait for someone to get a notification on their phone and send me a code.

 [NW4]Might put You, the user, first followed by the others in some prioritized order: legal relationships (spouse, family, guardian, caregiver, partner, etc) colleagues, friends.

Meeting Notes/Discussion:

Redcross was experimenting with Identity cards for emergency and refugee scenarios

• Need a way to have both physical and non-physical card
• Risk of trading physical credential
• Nordic puts factor into drive, type password, UBI Key with fingerprint reader (now biometric, used to be just touch)

Expense: 

• Catherine says they give them away at trade shows ($12-15)
• Chip shortage could be an issue

User-centric platform:

• User should be able to use any platform/device for identity, not just one.

• Catherine has a door smart lock device that has dozens of ways to prove you are the owner.
• Often has five different ways to use a device or access a platform.
• Combine biometric, physical key, code, bluetooth

How do we educate?

• Start from a position of power: This gives you agency, not this is scary.
• Jim: Noreen suggested separating technical description from personal story.
• Catherine: use images. Story about Finland eID was very personal, storytelling
• Catherine: it’s yours, it can’t be hacked
• This is how it is today but how can you use a platform everywhere (not just at a local store or a university card)
• How can we expand this beyond regional

Research solutions/platforms to verifying identity

• Catherine: devices in Finland all conform to an ISO standard (equal to an LOA3 design). See email below for full description. Catherine will see if she can find the recording.

Agreement across team

• Catherine offered to write the user journey, how to use digital id to perform different transactions and platforms, scripted
• Someone could wireframe or PPT something that reflects the User story
• Everyone contribute to the script and then group will critique

Layers:

• Security level
• Form of transaction (bio, physical, code)
• ID Provider networks 
• consolidated identity via companies that provide the technology to banks
• Possible entry to getting business buy-in: give your customers choice

Catherine: Use of ID not predicated on continued use of the ID (expired mDL, hunting license, insurance, etc)

• Data proof: should survive beyond primary use
• Attributes: of identity
• Authorization: should be separate from identities and attributes
• Data currency: can be required to be updated/renewed by primary issuer (part of TOS)

Tom: revocation issue

• What does revocation (of a driver's license for example) mean if it is used as an identity?
• Can the card be used for identity or converted to a regular ID?
• Send a new one
• Solution: State ID that has authorization attached. Some states do this already.

External discussion via email:

---------- Forwarded message ---------

From: Former user (Deleted) 

Date: Tue, Nov 2, 2021 at 12:58 PM

Subject: Re: FIRE WG meeting tomorrow at 1 PM ET

The only issue with a Medicaid card is that people go on and off Medicaid as their financial or disability situation changes.  

Not sure if that would impact the digital identity use case

Even if you are no longer getting Medicaid benefits does your e-card still work for ID proofing reasons?

Kind of like having an expired DL.  It may still work as a means of identity verification in some situations

Sent from my iPhone

On Nov 2, 2021, at 12:50 PM,  Tom Jones wrote:

I agree that the health care case is a good one. Perhaps for North America a mDL would be the means.

The PEMC (privacy enhanced mobile cred) in Kantara is working on use cases as well. We could start with a use case that we could present to them.

Another use case would be a state issued medicaid card.

..tom

On Tue, Nov 2, 2021 at 9:42 AM Former user (Deleted) wrote:

Hi all - sorry I've been out of pocket for sometime now.

(I'm getting ready for a new change so my ability to participate in this and other projects has opened up!)

I thought it was interesting that you mentioned the consumer experience and people not really being able to appreciate the power they have when they get the "keys to the car".

But even with that analogy, we've all seen cars on the road and we grew up with them and we know what they can do for us...

One of the best insights I've gained around digital wallet was watching a real-life, online transaction.

The individual (a citizen of Finland) went to his local police department's online website and entered in a non-emergency report (similar to what many of us may have in our community with a 3-1-1 reporting site)

He was reporting a pothole in front of his house.

Instead of typing in all of his contact info he clicked on a link that looked similar to a "Sign in with Google" button - except that it was a sign in with e-ID.

His identity had been previously proofed by his bank and now he could use the e-ID that his bank produced to identify himself on all sorts of sites.  He could also link this e-ID to credit cards, checking account, etc.

So he click on the "sign in with e-ID" button and now his smart phone phone notifies him that he needs to confirm his identity to the police station...he performs a facial ID confirmation using his smart phone and the website receives this confirmation and he's done with the identity transfer.

• The police station knows he was the person submitting the report
• He didn't have to type in any PII
• And he also has an electronic audit trail that he performed this identity exchange
• On the website he could see the PII that was exchanged and if he wanted to he could choose to remove select pieces of PII.
• The bank - who issued his e-ID - has no knowledge of this transaction since they aren't the ones who perform the transaction...they are simply the entity that is on record as confirming his identity.

Next, he went online for a consumer shopping experience (a website similar to Staples) and purchased a set of file folders.  This website also had the same "sign in with e-ID" button and in this use case not only did he sign in but he also used the e-ID to link to his credit card details.  A notification was pushed to his mobile device, he performed a facial scan and the transaction was complete.

All the same functionality plus an ability to pay.  

I think if we could render an experience similar to this type of use case and add in a healthcare situation - we could explain the power of the digital identity.

Catherine Schulten

On Tuesday, November 2, 2021, 08:43:22 AM EDT, Jim Kragh wrote:

<snip>

I have asked Noreen to take the lead chair today since I will attempt to connect via cell phone.  Will have about 30 + realtors from a company invading my home today to assess its value in addition to having a photo shoot from the air, ground, pool and inside;  have been asked to vacate the property until  mid afternoon.

Have a good day,

Jim

On Tue, Nov 2, 2021 at 12:05 AM Former user (Deleted)wrote:

Jim - <snip> I looked over the attachment and would like to add the following comments when considering user adoption.  There are a significant amount of end users that either don't care, are very technology challenged, or are drowning in all the technology being thrown at them.  The idea of a perimeter, policies, or functions is completely foreign and many could care less.  Trust must be developed but in such a way that it is extremely to understand, simple to adopt, and functions seamlessly.  I couldn't agree more with Noreen's comment of deemphasizing technology.  Cheers.

thanks - jeff

Jeff Brennan

On Monday, November 1, 2021, 07:23:44 PM PDT, Jim Kragh wrote:

 FIRE WG Zoom Meeting Link

https://zoom.us/j/97049100495?pwd=TmRDM1FYR3krMnNXRnl6cTVndUEyZz09

Meeting ID: 970 4910 0495           Passcode: 351 971    

  FIRE WG   -   One tap mobile

+13462487799,,97049100495#,,,,*351971# US (Houston)

+16465588656,,97049100495#,,,,*351971# US (New York)  

Good Evening and sorry for the late notice and inconvenience for multiple reasons, understand appreciated.Yes, there is a meeting tomorrow and I think you will find it interesting and be a building block for a series of meetings to follow.

Those involved in cyber technology have an understanding when we hear "the internet's perimeter is where trust must be developed".  That sounds good but how do we light a fire in a user-centered population that will encourage them to want to adopt something they cant feel, touch or enter into their cell phone; where is the value? 

Noreen and I reviewed the comments from our last meeting ref Zero Trust, Digital Wallets and creating  value and noted there is a major gap. It is like being 16 and getting keys to the car and you have little idea of its power or value.  Consumers are at the starting gate of a digital economy regarding having a basic understanding of what the 'perimeter' is,  its policies, functions and how it  affects the user and others. There is a basic market need for user education.  

During one of our sessions, Noreen commented and then we discussed the idea of what a User-Centered Program might look like, de-emphasizing technology. Let's empower end users with knowledge, tell some fun-life  stories, use graphics coupled with digital IDs, smart devices on how to build trust, privacy, security and the value (ownership) of one's identity and data. 

Let's discuss the draft outline (link attached)  as an initial framework and we, as a WG can, if agreed upon, give it life from that point forward.

May all have a restful evening,

Jim