Phone as Personal Identifier Provider

From IDESG Wiki

Revision as of 05:11, 20 August 2019 by Tomjones (talk | contribs) (→‎Benefits)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Full Title

Mobile Device Security: Phone as Personal Identifier Provider (PPIP)

Context

This paper is designed to be a proposal to NIST for a SP 1800-xx document in their series of Cybersecure Infrastructure papers.
It is an extension of the Kantara work to provide such a solution for US Healthcare.
The following are the 3 parts of a sp 1800 document. We propose an outline of the first part below:

SP 1800-xxA: Executive Summary (PDF)
SP 1800-xxB: Approach, Architecture, and Security Characteristics (PDF)
SP 1800-xxC: How-To Guides (PDF)

Challenge

User want to be in control of their own private information.
Accessing some material, like user health information, should be well protected from leakage.
The common approach to high assurance (IAL2 AAL2) access it to provide a trust and credentialed Identifier Provider that also performs user authentication.
All past successful attempts to get users to create and maintain high assurance have been driving by enterprise solutions like technology companies or educational institutions.
Consumers have been unwilling to accept the inconvenience of such high assurance solutions.

Solution

Put the high assurance identifier in the consumers hand, in their smart phone.
They get to have as many identifiers as the want and can select which one to use with which provider.

Benefits

The Age of Aquarius reigns.

References

Google will now let you use your Android phone as a physical security key using the phone and PC blue tooth connection.
Phone as Health Care Credential
SP 1800-21 (DRAFT) Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)

Retrieved from "https://wiki.idesg.org/index.php?title=Phone_as_Personal_Identifier_Provider&oldid=13280"