Online business Toolkit

URU joins authentication service fray

Tags:
GB Group,
Identity,
Authentication,
BT

Peter Judge ZDNet.co.uk

Published: 10 Mar 2003 13:10 GMT

A service is being developed that will help businesses check the identity of people they are dealing with -- without increasing the number of places where personal data is stored.

Unlike Microsoft's Passport and the Sun-led Liberty Alliance Project, where users create an online identity by providing personal details to the service, which then authenticates them, the new service, called URU, uses information already existing to verify an individual's identity.

Banks or other businesses' Web sites will be able to check personal data provided by users against databases held by utility companies and other organisations to which the URU service has access. URU itself never holds the databases, and neither do the banks or other companies requesting verification. URU will be available as a Web service, says BT -- one of the backers -- so it can easily be built into e-commerce systems.

URU is an extension of very widely used software from GB Group, which identifies people based on their postal code. This is in many call centres in the UK. "When call centre staff ask, 'what is your postcode and house number?' and then come back with your full name, they are using our software," said Richard Law, chief executive of GB Group.

Thus far, GB has been using public data, such as the electoral register and the directory enquiries database, and making the application available on a CD. The next step is to bring in private data, and make it available online. "This can avoid the need for users to send proof of identity through the post, or to visit a branch in person," said Law. "In ten years' time, 90 percent of identity checks will be done in this manner."

The service will use data such as the electricity meter number (MPAN or meter point asset number), a unique private number held by the electricity company and quoted on electricity bills. "A user can forge an electricity bill to show they are at a given address, but cannot forge the MPAN," said Law.

The service is carefully built to avoid problems with the Data Protection Act, which prevents companies sharing personal data without permission, said Law. All personal data is kept by the organisations that own it, and only passed to a URU customer one item at a time. The URU service asks the user for a detail, and then asks the database owner to verify it. This happens one item at a time to authenticate one specific person. When a user enters a detail such as their electricity meter number on a Web form, they will be seen to have given permission for the electricity company to release that information for checking, explained Law.

Law expects the service to be widely used by banks and government. "URU is poised to be the natural ID verification scheme," said Mike Stone, general manager of BT's Stepchange initiative, which is promoting Web services within government. "URU will join up government services."

The service is already available for trial, and will be launched formally later this year. Although not a 100 percent authentication scheme, Stone and Law believe it can be made to approach complete verification, by increasing the number of databases it has access to.

The service will be based on a standard interface to fit in easily with online customer relationship management (CRM) systems. It will be hosted in a service managed by BT, known as the Web Services Deployment Environment, and available in BT's Web services component library.

The system will allow a range of confidence, depending on the number of databases accessed, said Law. A "low-confidence" version is already in use on trams in Manchester, Newcastle and Croydon, to give a basic check on the addresses given by fare dodgers. Correlating the name and address they give increases the chances of collecting the fine from them.

Responding to queries about how far users can trust the system, Law detailed an aspect that should increase user confidence. "Users will be able to register with URU, and ask it to send them email notification every time someone uses the service in their name. Users will get an instant warning of attempted identity fraud -- something that otherwise could take up to two years to emerge."

One detail of the service may be disappointing to readers expecting a contrived acronym of the kind the IT industry specialises in. The letters "URU" do not stand for anything. The name is a text-message style way of saying "You are you", explained Law.

E-commerce is transforming business around the globe. Get the latest headlines at ZDNet UK's E-commerce News Section.

Let the editors know what you think in the Mailroom.