URU joins authentication service fray

13:10 Monday 10th March 2003
Peter Judge 

The URU Web service will identify individuals online without invading 
their privacy - and says it can alert people to attempted identity theft  

A service is being developed that will help businesses check the identity 
of people they are dealing with -- without increasing the number of 
places where personal data is stored.  

Unlike Microsoft's Passport and the Sun-led Liberty Alliance Project, 
where users create an online identity by providing personal details to 
the service, which then authenticates them, the new service, called URU, 
uses information already existing to verify an individual's identity.  

Banks or other businesses' Web sites will be able to check personal 
data provided by users against databases held by utility companies and 
other organisations to which the URU service has access. URU itself 
never holds the databases, and neither do the banks or other 
companies requesting verification. URU will be available as a Web 
service, says BT -- one of the backers -- so it can easily be built 
into e-commerce systems.  

URU is an extension of very widely used software from GB Group, which 
identifies people based on their postal code. This is in many call 
centres in the UK. "When call centre staff ask, 'what is your postcode 
and house number?' and then come back with your full name, they are 
using our software," said Richard Law, chief executive of GB Group.  

Thus far, GB has been using public data, such as the electoral register 
and the directory enquiries database, and making the application 
available on a CD. The next step is to bring in private data, and make 
it available online. "This can avoid the need for users to send proof of 
identity through the post, or to visit a branch in person," said Law. 
"In ten years' time, 90 percent of identy checks will be done in this 
manner."  

The service will use data such as the electricity meter number (MPAN 
or meter point asset number), a unique private number held by the 
electricity company and quoted on electricity bills. "A user can 
forge an electricity bill to show they are at a given address, but 
cannot forge the MPAN," said Law.   

The service is carefully built to avoid problems with the Data 
Protection Act, which prevents companies sharing personal data without 
permission, said Law. All personal data is kept by the organisations 
that own it, and only passed to a URU customer one item at a time. 
The URU service asks the user for a detail, and then asks the database 
owner to verify it. This happens one item at a time to authenticate one 
specific person. When a user enters a detail such as their electricity 
meter number on a Web form, they will be seen to have given permission 
for the electricity company to release that information for checking,
explained Law.  

Law expects the service to be widely used by banks and government. 
"URU is poised to be the natural ID verification scheme," said Mike 
Stone, general manager of BT's Stepchange initiative, which is 
promoting Web services within government. "URU will join up 
government services."  

The service is already available for trial, and will be launched formally 
later this year. Although not a 100 percent authentication scheme, 
Stone and Law believe it can be made to approach complete verification, 
by increasing the number of databases it has access to.

The service will be based on a standard interface to fit in easily 
with online customer relationahip management (CRM) systems. It will 
be hosted in a service managed by BT, known as the Web Services 
Deployment Environment, and available in BT's Web services 
component library.  

The system will allow a range of confidence, depending on the number 
of databases accessed, said Law. A "low-confidence" version is already 
in use on trams in Manchester, Newcastle and Croydon, to give a basic 
check on the addresses given by fare dodgers. Correlating the name 
and address they give increases the chances of collecting the fine 
from them.  

Responding to queries about how far users can trust the system, Law 
detailed an aspect that should increase user confidence. "Users will be 
able to register with URU, and ask it to send them email notification 
every time someone uses the service in their name. Users will get an 
instant warning of attempted identity fraud -- something that otherwise 
could take up to two years to emerge."  

One detail of the service may be disappointing to readers expecting a 
contrived acronym of the kind the IT industry specialises in. The letters 
"URU" do not stand for anything. The name is a text-message style way 
of saying "You are you", explained Law.

                            -==-

Source: ZDNet UK - http://news.zdnet.co.uk/story/0,,t269-s2131644,00.html

Cheers, Steve..

---