With the adoption of EMV bank cards by the US, a strong authN, global identity system is possible, using the payment card network to handle the identity transactions
2. EMV Smart Chip Banking Cards Are
Coming to the U.S.
● Visa has created financial incentives that should drive
issuers to issue EMV bank cards and merchants to accept
them, by 2015
● The U.S. has been the last holdout in worldwide EMV bank
card deployment
● These cards will support NFC
● This event offers new possibilities in identity
● The banks could offer a global, strong identity system, with
fees proportionate to the risk
● I want to know what you think!
○ Feasibility?
○ Risks?
○ Desirability?
3. Why are chips so important?
● S/w is only good for low value transactions due to malware
● You need hardware crypto w/ dedicated display and user
input that can't be corrupted by software
8. Why do EMV bank cards change the
world of identity?
Several factors make EMV bank cards so important:
● Eventually every Internet user in the world will have one or
more.
● They are very secure.
● They work well with personal computers, mobile devices,
and even physical lock systems.
● The global banking payment network can easily
authenticate them and collect fees based on the value of the
authentication.
10. How would EMV bank cards work for
identity?
● The global bank card network adds a new identity
transaction to the payment network (ISO 8583, ISO 20022)
● The fee for the transaction is scaled, based on the risk
associated with using the authentication (E.g. ordinary login,
$0.001; $50,000 purchase, $5.00)
● Relying parties use their existing interface to the payment
network
● Readers added to PCs and mobile devices (and door locks)
11. What’s so special about EMV?
Ubiquity!
● 20 years: security & deployment
● Hundreds of millions EMV bank cards have been issued.
● Largest public key infrastructure that has ever been
deployed
● EMV transactions are routed over the standard global
payment card network so EMV bank cards can be issued
and used anywhere.
● A business model for exchanging cash for
value
12. Alternatives?
● Specialize smart cards: DoD CAC card, Hong Kong national
ID card
● SIMs used in GSM mobile phones (AT&T, T-Mobile,
European telcos)
● SD cards: memory + crypto
● TPM (Trusted Platform Module): widely deployed in Dells
and others
None of them have all the key attributes
● Global
● Secure key distribution framework
● Monetization of risk to incent secure behavior among
stakeholders
13. What about fraud?
● There is risk of fraud in any transaction - goal: drive is small
enough to include in transaction fees
● EMV has been hacked to bits. See the most recent
Cambridge one in the Links page - amazing. But it gets
addressed, which is what makes EMV so strong
14. What needs to happen?
1. The rest of the PCI needs to follow Visa
2. The PCI networks need to add an authentication
transaction into the transaction set
3. Standard reader implementation, UX, and
protocol need to be defined
4. Issuers need to offer these authN services;
relying parties need to use them
5. "EMV in a phone" needs to be defined, to replace
bank cards