I’ve just finished reading Jerry Fishenden’s eID – identity management in an online world paper, and whilst reading it I was thinking through various use cases and analogies related to federated identity in the real world, from the perspective of my own transient identity thoughts, and it suddenly occurred to me that we already have most of the infrastructure in place in the UK to roll out a national digital ID card.

We use them every day – chip and pin debit and credit cards.

When we make a purchase using chip and pin, we are asserting that we, as holders of the card and by providing the PIN number, are the owner of the card and are authorised to make a purchase using the funds in the associated bank account.

Given that the entire chip and pin network is effectively integrated across multiple providers, and we choose who our debit card provider is when we choose our bank, we could make the analogy that the banks are identity providers, and when we purchase something using their debit card we are asserting to the store that we are who we say we are (or rather, we are ‘authenticating’ against information stored by the bank, who then asserts that we can pay for the purchase). Yet at no time are we actually saying to the shop ‘I am Tom Gordon’. There’s no actual relationship between me and the shop – rather there is a trust relationship between me and the bank, and between the bank and the shop.

So what we have here is an example of transient identity. The supermarket knows limited information about who I am only long enough to verify that I can pay for my purchases – there’s no additional information recorded or held (unless I also have a loyalty card of course).

Sure, there’s additional information recorded against my bank account (such as ‘purchased so much worth of miscellaneous goods from that supermarket), but that information is held by the bank.

In the middle of this, the enabler – the chip and pin network – records nothing. It is purely an enabler, an identity broker. Or in terms of my transient identity model, the chip and pin service is acting as the identity provider, even though it is itself only a transient provider of my digital identity, facilitating the assertion that I can afford to pay for goods and services, and passing along my authorisation for the bank to make a payment to the supermarket for an agreed amount.

Perhaps the power here is that my bank knows who I am. I have asserted to the bank’s satisfaction that I am who I say I am, enough that I have a current account, a savings account and a credit card. By using the chip and pin system, the bank asserts that I have provided the card owner’s credentials. And some banks have even offered the ability to have your photograph stored on your debit or credit card, allowing you to provide a secondary, visual form of identitification.

This means that I can nominate my bank as being my digital identity provider, for a subset of digital identity transactions at least. Theoretically I could authorise the release of additional information as well, such as my postal address, my name, or anything else that the bank records about me.

I wonder how easy it would be to integrate the chip and pin network with other digital identity providers.

chip and pin, digital identity, identity management, identity, security, privacy, transient identity