From American Banker by Penny Crosman - 'AT&T's Bid to Intertwine Its Services with Mobile Banking Apps': AT&T would like to partner with banks on their mobile banking apps, providing a range of hosted services from call recording to videoconferencing to geolocation services to mobile identity verification.The telecom launched its first product in this vein, a mobile identity toolkit, in late December. In a way, it is following the footsteps of Verizon, which debuted a mobile identity offering in October. But the technology and approach the two companies are taking are somewhat different. Continued.
Trish's Comment: From my perspective, this last sentence is an understatement. The technology and approach the two companies are taking are not 'somewhat different', they are very different! At the risk of oversimplifying, I would characterize the two approaches in the following way:AT&T wants to enable others - be it banks, retailers or other companies - to build more robust and secure authentication and identity systems by letting these third-parties access some of its services via APIs. Basically, AT&T allows other companies to build 'hooks' into its network to access key capabilities - such as communications, videoconferencing, location services and account information - to better authenticate and identify their users.This approach is perfectly inline with the vision that Laura Merling, vice president of Ecosystem Development and Platform Solutions, articulated at the 2013 API Strategy & Practice Conference in San Francisco, around transforming AT&T into a platform company. The company wants to provide end-to-end services by taking all underlying services into software and making them available at a broader scale.Verizon is building its own authentication and identity service, called Verizon Universal ID, that will be used by entities across the internet and other public and private online / remote services. This means that Verizon would be an identity provider and therefore responsible for authenticating a user, and I imagine also liable in case of error or breach. The company would use the device ID (the knowledge that a particular smartphone or tablet is registered to a certain user) as the basic building block to verify a user, but it could also use other information such as geo-location or biometrics. The idea is to provide strong authentication without the use of passwords, or at the very least, minimizing the role that passwords play in the process.In the words of Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions, 'We want to be the world's largest identity provider [...] We want to credential as much of the world's population as we can. That information associated with you needs to stay with you at all times.'
In all fairness, both companies provide APIs and developer tools for their developer communities, and they both understand the potential revenue stream that may come from providing mobile network services to third parties. Having said this, it is clear that the companies have different priorities, since as a whole, the number and diversity of APIs provided by AT&T is much greater than that provided by Verizon; not to mention AT&T Mobile Identity Toolkit API, which does not have a similar counterpart within Verizon's API set.This difference in focus is also reflected in the way in which each company is taking part in the activities of the Federal National Strategy for Trusted Identities in Cyberspace (NSTIC) program.AT&T is part of effort lead by the American Association of Motor Vehicle Administrators (AAMVA) to implement the Cross Sector Digital Identity Initiative (CSDII) to produce a secure online identity ecosystem that will enhance privacy and reduce the risk of fraud. A central goal of the project is to explore the integration of government-issued driver license verification information with other types of commercial identity verification techniques, including those that can be provided through AT&T Mobile Identity Tookit.In the words of Geoff Slagle, director of identity management at AAMVA, 'One aspect of the program will involve how government verification data can be exchanged or coordinated with commercial identity verification and, in turn, how that relates to online identity systems.' Verizon joined a project lead by Criterion Systems and focused on simplifying online identity verification and increasing online trust. In a nutshell, the idea is for users to log in across the internet by using a single, or a few, identity providers (government agency, bank, social network, or telecom) with whom they have an established online relationship. This identity provider should be able to use 'trust elevation' tactics at a large scale. This means combining a user name and password with additional information to achieve multi-factor authentication. Of course, the identity provider could be a government agency, a bank, a social network, or of course, a telecom provider such as Verizon.It is also important to remember that Verizon is the only Open Identity Exchange member that has been certified by the U.S. ICAM Trust Framework as a Level of Assurance (LOA) 1, 2 and non-crypto 3 Certified Identity Provider. Other LOA 1 Certified Providers are Yamagata University, Google, Equifax, PayPal, VerSign and Wave Systems.
In my opinion both approaches are complementary and should be pursued by both telcos simultaneously (notwithstanding resource constraints):There are many companies that can provide authentication and identity services - including mobile operating systems such as Android and iOS, banks and maybe even major online retailers such as Amazon. In fact, for regulatory and legal reasons, some of these companies, such as banks, will be heavily inclined to retain authentication of its users, which they can also offer as a service to other entities (as they are already doing in Canada with SecureKey Concierge). Providing these companies with additional tools will benefit the consumers, the ecosystem and the telcos' bottom-line.At the same time, why would a telco not take advantage of its capabilities, and use the tools offered by other companies, to provide those services itself? It will be up against some stiff competition, but everything is still up for grabs.
Fun Fact: According to the 2012 Online Registration and Password study, conducted by Harris Interactive, 38% of people would rather fold laundry and scrub toilets than come up with new passwords. So let's move forward to a world without passwords and cleaner toilets!
Trish's Comment: From my perspective, this last sentence is an understatement. The technology and approach the two companies are taking are not 'somewhat different', they are very different! At the risk of oversimplifying, I would characterize the two approaches in the following way:AT&T wants to enable others - be it banks, retailers or other companies - to build more robust and secure authentication and identity systems by letting these third-parties access some of its services via APIs. Basically, AT&T allows other companies to build 'hooks' into its network to access key capabilities - such as communications, videoconferencing, location services and account information - to better authenticate and identify their users.This approach is perfectly inline with the vision that Laura Merling, vice president of Ecosystem Development and Platform Solutions, articulated at the 2013 API Strategy & Practice Conference in San Francisco, around transforming AT&T into a platform company. The company wants to provide end-to-end services by taking all underlying services into software and making them available at a broader scale.Verizon is building its own authentication and identity service, called Verizon Universal ID, that will be used by entities across the internet and other public and private online / remote services. This means that Verizon would be an identity provider and therefore responsible for authenticating a user, and I imagine also liable in case of error or breach. The company would use the device ID (the knowledge that a particular smartphone or tablet is registered to a certain user) as the basic building block to verify a user, but it could also use other information such as geo-location or biometrics. The idea is to provide strong authentication without the use of passwords, or at the very least, minimizing the role that passwords play in the process.In the words of Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions, 'We want to be the world's largest identity provider [...] We want to credential as much of the world's population as we can. That information associated with you needs to stay with you at all times.'
In all fairness, both companies provide APIs and developer tools for their developer communities, and they both understand the potential revenue stream that may come from providing mobile network services to third parties. Having said this, it is clear that the companies have different priorities, since as a whole, the number and diversity of APIs provided by AT&T is much greater than that provided by Verizon; not to mention AT&T Mobile Identity Toolkit API, which does not have a similar counterpart within Verizon's API set.This difference in focus is also reflected in the way in which each company is taking part in the activities of the Federal National Strategy for Trusted Identities in Cyberspace (NSTIC) program.AT&T is part of effort lead by the American Association of Motor Vehicle Administrators (AAMVA) to implement the Cross Sector Digital Identity Initiative (CSDII) to produce a secure online identity ecosystem that will enhance privacy and reduce the risk of fraud. A central goal of the project is to explore the integration of government-issued driver license verification information with other types of commercial identity verification techniques, including those that can be provided through AT&T Mobile Identity Tookit.In the words of Geoff Slagle, director of identity management at AAMVA, 'One aspect of the program will involve how government verification data can be exchanged or coordinated with commercial identity verification and, in turn, how that relates to online identity systems.' Verizon joined a project lead by Criterion Systems and focused on simplifying online identity verification and increasing online trust. In a nutshell, the idea is for users to log in across the internet by using a single, or a few, identity providers (government agency, bank, social network, or telecom) with whom they have an established online relationship. This identity provider should be able to use 'trust elevation' tactics at a large scale. This means combining a user name and password with additional information to achieve multi-factor authentication. Of course, the identity provider could be a government agency, a bank, a social network, or of course, a telecom provider such as Verizon.It is also important to remember that Verizon is the only Open Identity Exchange member that has been certified by the U.S. ICAM Trust Framework as a Level of Assurance (LOA) 1, 2 and non-crypto 3 Certified Identity Provider. Other LOA 1 Certified Providers are Yamagata University, Google, Equifax, PayPal, VerSign and Wave Systems.
In my opinion both approaches are complementary and should be pursued by both telcos simultaneously (notwithstanding resource constraints):There are many companies that can provide authentication and identity services - including mobile operating systems such as Android and iOS, banks and maybe even major online retailers such as Amazon. In fact, for regulatory and legal reasons, some of these companies, such as banks, will be heavily inclined to retain authentication of its users, which they can also offer as a service to other entities (as they are already doing in Canada with SecureKey Concierge). Providing these companies with additional tools will benefit the consumers, the ecosystem and the telcos' bottom-line.At the same time, why would a telco not take advantage of its capabilities, and use the tools offered by other companies, to provide those services itself? It will be up against some stiff competition, but everything is still up for grabs.
Fun Fact: According to the 2012 Online Registration and Password study, conducted by Harris Interactive, 38% of people would rather fold laundry and scrub toilets than come up with new passwords. So let's move forward to a world without passwords and cleaner toilets!