Identity issues and modern exam techniques

The most important facet of a service that is offered by a examination body is to the general public, not the students themselves but those of us who will in time use the qualified professionals. For example If you use an accountant you don't just trust them with your finical data you also trust them with your livelihood. We need to know that when we extend our trust to an accountant, that they are adequately skilled and have been examined by a professional body to an adequate standard.

The modern examination process has come a long way from rows of desks with an invigilator sitting at the front. Examinations and the examination process itself have been upgraded.

The learner can use an on-line system to schedule when and where they would like to take an exam, the student then arrives at a comfortable examination center and sits down in front of a computer, the exam starts when they click and is controlled by a remote computer system that provides the student with a monitored and balanced set of questions. The adjudicator’s role is to provide drinks and to make sure that the students are not using their mobile to call friends who are googling the answers. Results are often provided immediately at the end of the test along with a breakdown of the student’s performance.

However this examination process has introduced a number of new problems, the most significant of which are associated with identity, and can be summed up by these three questions

• "who is going to take the exam?"
• "who took the exam?"
• "who does this exam result belong to?"

Imagine Geoff decides to become an accountant this is a possible journey that Geoff could take to achieve his qualification.


We start to answer the question "who is going to take this exam" when Geoff shows his interest on the web site, and we also encounter our first identity problem. How do you know that people who have signed up with us and are real, unique people? Has this problem been solved before? Back in the early 1990's it was technology companies such as Microsoft who developed the tools to make examinations a more enjoyable experience. They also introduced the new way of examinations for their accreditation programmes and so naturally it was they who first started to tackle these identity problems. Their solution was simply to create a database of people, all having user names and passwords; an identity silo. Independent from any governmental or quasi-governmental organisation, this solution is called by some Identity 1.0. To prove that Geoff is really a unique person, and that he really exists the web site needs to link the identity it has with an identity that is offered by trusted identity authority such as the passport or driving licence office. This is called Identity 2.0.

The next identity question "Who took the exam" comes when he is at the examination centre and needs to relate his exam result and his physical identity to the identity that he previously registered on the website when he booked the exam. A modern solution is to use a biometric measure to relate Geoff person to information that has been previously stored against him. Lets say we use his retina scan.


This basic biometric process is used no matter which biometric measure you choose to use. Biometric measure come in one of two categories physiological or behavioural.

The physiological measures are

• Face - Everyone has a face, but they are not as unique as you would think.
• Finger print - These are very unique but are very, easy to get round (search for fingerprint on youtube)
• Hand Geometry - Good all round measure to use
• Hand Veins - Are easy to circumvent
• Iris - Difficult to collect works very well
• Retinal scan - Very very difficult to collect but works really well.
• Face Thermiograph - Very unique, but change as people get older
• Odour - Difficult to collect but a good measure to use

The behavioural measures are

• Key strokes - Very very easy to collect
• Signature - Not a good measure at all, forgers have been working on this for centuries
• Voice - Not very unique
• Gait - Easy to collect, but also easy to imitate
  

If a biometric is used then it must also be noted that the patterns stored against a person need to be in a database, against a user name and password. Most off the shelf biometrioc solutions actually reinforce the Identity silo problems that existed before the biometric solution was put in, and often incur massive costs in the process.

Our third question "who does this exam result belong to?" is a tricky question, we may be able to relate the result to a set of finger prints or to a user name and password, but who really owns the exam result? Are they Alive? Have they been incarcerated for fraud? Have they been awarded the Nobel prize for science? Again an Identity silo exasperates the problem. organisations such as OpenID and OASIS are trying to solve this issue from a technical perspective.

Things have moved on since the Microsoft Certified Engineer days and nearly everyone is a member of hundreds of identity silos. Identity silos do work well for storing your shopping list or a set of favourites, but as a solution for things that are really important - they really don't work. The century has already seen the rise of identity theft, organised large scale credit fraud and global terrorism. You also have to ask another question,
"Is owning, managing and maintaining an Identity Silo core to my function?"
The answer can only be no. If you want to remove barriers to membership then every thing that detracts from this is just a cost, that will included in the exam fee.

There are many ways to authenticate a student, either via a shared secret such as a user name and password, via a token such as a smart card or a biometric device, but if these authentication solutions are used to populate Identity Silos then you will be left with dealing with all the associated problems.

The Identity 2.0 solution to this technical issue is to delegate the task of authorising users and consequently the owning and managing of a particular identity silo to a specialised provider. Specialist services such as on-line exam papers or multiple choice questions could be held on servers that sit behind the identity asserting authority. The exchange and interchange of identity information can be facilitated using the SAML (Security Assertion Mark-up Language) standard.

This architecture is about trust. The user trusts the asserting authority with their personal information, who will be a vendor selected for their trustworthy characteristics such as Veritas or Microsoft. This trust is again repeated by service provider who will have a number of services on the right hand side of the diagram. The biometric vendor has a common standard to deliver to and importantly this can be changed if their solution is compromised without a redesign of any of the services. In-fact examination body will be able to extend trust to its students in different manners according to the student’s status, role or geographical region. In countries that prohibit the storage of finger prints, smart cards can be used. Students who have graduated can login using their user name and password, but students who have not finished all their exams would need to use a finger print identification. As new features come into the public domain such as OpenId and cardSpace the solution can be extended in a single place the Credential Authority (CA).

In conclusion an Independent Asserting authority allows you to change your services and how your services are accessed without effecting your customer base, which will allow you to deliver faster as you don't have to maintain your identity silo and deal with the technical complexity associated with running one.

Most important of all is that your students only have to trust you enough to provide the services that you want to offer, i.e. they don’t also have to trust you with their identity, finger prints, retina scan, voice patterns ....

If an independent assertion authority is used, then the core service that you wish to offer can be developed against it with a well known and simple user name password or token style solution. If fraud, identity theft or impersonation then turn out to be a quantifiable problem then a biometric solution can be used without change to the previously deployed solution.

The one question not yet answered is probably the most important question and that is
"Is this person who says that they are certified really certified".
I.e. Can I trust Geoff with my finical data and my livelihood because the certificate on the wall in his office says so? and Is that certificate a forgery?What I need is the ability to check with the examination body that Geoff really is who he says he is and to do that the examination body must explore exchanging Geoff's profile information that it has stored against his member identity with an unidentified member of the public. A simple suggestion that may work without either Identity 2.0 or a biometric device can be achieved by the exam invigilator taking the student’s photograph during the exam and publishing the photographs on the website against the name that the student gave at the exam and the name on the qualification document.

References

Identity 2.0 Dick Hardt
CCCB How to hack a finger print reader
Biometrics wikipedia
OASIS technical council on SAML

why a high-tech innovation lead company cannot ignore SecondLife

1, the people
SecondLife is the most popular virtual world environment, the generation Y creative minds that it attracts are coding new streaming platforms, experimenting with new code patterns and making whole new languages, they are doing this because they enjoy it, this is the new high-tech resource pool, your competitors will draw from this pool, ignore these people and you will loose your commercial advantage.

2, the technology
The SecondLife grid is a contender for the worlds largest collaboration project, it is solving issues associated around fast data transfer, massive parallel processing and the distributed service that nearly all modern systems will face, their open source repository allows 100,000 developers to alter a single line of code to meet these demands, their automated build release and QA procedures are collaborative an easy, this is how future software projects will be run, this type of collaboration is the new school your competitors are learning how to deliver commercial projects using these tools and methodologies.

3, the business
SecondLife is only came to media attention in 2006 and yet it has already become the worlds 2nd largest online 3d brand it has a higher GDP than Israel, in the future training and education simulations will use virtual worlds, this will happen, Microsoft, Apple, IBM, Samsung, Nokia, google, BBC, Accenture, Reutiers, Garnter, CNN, Disney, AOL, Warner are all announcing 3d worlds products. Virtual worlds and serious games are going to become a part of everyday life, in fact if you look around you will realise that they already are,

In 1977 Ken Olsen said “There is no reason for any individual to have a computer in his home” 5 years after this I was exchanging games on C15’s with my friends, and Bill G’s MSDOS was finding its way into every office in the world.

Today’s 11 year olds are making avatar behaviours, functioning 3d machines and architectures, with the accelerated rate at which software and hardware products can be brought to market it can be expected that that consumer facing solutions will interface with a virtual world in some way. I would expect this to happen within 5 years. The high-tech company that looks to the horizion will surf this wave and have really good fun doing it, those that don’t will just have to do what they can to jump on the wave as it crashes around them.

note::i know that its a misquote !

A window on the Virtual World

The latest real news from the virtual world is that Samsung have ported the SL client onto their high end mobile device, or so Richard Banks comments on his blog. This allows us to walk talk and blog in first life and Second life all at the same time. I guess this make its 1.5 life or even 3rd life. However this is not the first time that a commercial virtual world vendor has attempted to exploit the mobile device, Habbo announced this with Nokia back in November, and Microsoft (In my mind the organisation most capable to achieve this) have a work stream in
their social computing research group to do a similar thing.

The consumer device and media industry's view is that this is a good thing. The media companies, virtual world companies and mobile carriers all get new exciting ways to make money from the teen demographic. The only losers are traditional mass media companies, more time in a virtual world consuming media is less time in this buying disks that become obsolete as you take them out of the packet.

At the Barcelona TV evolution event last year I heralded "personification of consumer devices", where the operator would invite the consumer to interact with the device as if the device were a person, this is already happening with some online media brands but has yet been translated to a physical device dependant brand. Software developments that allow small devices to perform the polygon rendering needed to make a virtual world an exciting experience will ultimately unlock the mobile device allowing it behave as window onto another world, or a character that you can interact with directly.

A brief explanation of a headend and why its so important

Most cable companies have a DMC that stores all the movies, up and down links content and provides monitoring on input and out put. Each geographical region they have a headend. The old analogue headends were quite simple affairs, now they are massive complex installations.

The number of channels, number of concurrent VOD streams and number of internet connections that a cable network can provide is dependent on the number of multiplexers. The multiplexers live in the headend (a bit simplistic, but generally true). The Conditional Access (CA) system also lives in the headend.

The headend is the most expensive part of the network, it is often more expensive than all the boxes that it serves.

Get on your virtual bike

Back in 58 Willy Higinbotham demoed “tennis for two”, what he didn’t know was future games producers in the audience were dreaming of sadistic, gore ridden bloodfests. The games industry is the phenomenon of the late 20 century when spotty teenagers made mega bucks from a weeks work and multi million dollar companies were constructed over night. But for those on the inside its a different story … the games industry has another reputation, its really more cut throat than an 18 rated splatter house sequel. Young minds are ravaged, patents are broken code is stolen and companies are bought, sold and stripped of any decent ideas they may have had. This is because the number of people who buy games as a percentage of the population is less than 5% and the market is completely saturated, any game consumer has traditionally been fought over tooth and nail by some of the best minds of the centaury.

But, just as Willy had his day so have the “young white male” focused games producers. Games have changed and so has the games industry. Why fight for the people in the 5% when you can sell to the other 95% without any competition. The Xdream fitness bike is a really good attempt to sell computer games and virtual worlds to people are really into fitness, in the same way the brain training is aimed at the female market and dizzywood is aimed at the under 10’s. Nintendo has also just announced that the price of the wii fit has increased by £20, this is not because of manufacturing cost no no no … this is simply because demand is through the roof and Nintendo know that people will still buy it.

More than half of the worlds population now lives in a city, combine this with the big software vendors, governmental and games industries interest in the home, and you get virtual worlds connected into every part of your entertainment, Leisure and media consumption.