The Canadian government is working with financial services companies to enable consumer’s to use bank-issued credentials and payment cards for access to government services, negating the need for special purpose IDs and passwords that are infrequently used and thus difficult to remember.
Toronto-based SecureKey Technologies was hired by the Canadian government to launch the credential broker service. The broker service is designed to protect consumer privacy, says Andre Boysen, executive vice president of Digital Identity and Authentication Services at SecureKey. Canada is looking for an easier way to give citizens a choice about how they access services online, he explains.
“When a consumer uses the service, the government does not get any information about the bank that you’re coming from or your account details,” Boysen says. “Nor does the government give any information to the bank about what government program you’re accessing or for what purpose.” SecureKey sits in the middle and doesn’t know anything about the user’s identity.
“Consumers don’t deal with the government that often, so when you get a special purpose government account you’ve often forgotten the user ID and password since the last time you used it,” he explains. “So it gets more expensive and more challenging for the government to serve you. The idea is to take advantage of a credential that you have already rather than having a special purpose one just for government.”
Alison Brooks, research director with IDC Government Insights in Canada, says the brokerage service is a great idea. “Governments are always looking for easy ways that are proven and secure and the banks are very vested in making sure that their transactions are secure,” she says. “This is one of the things that actually keeps government awake at night.”
How it works
Consumers will be able to visit a government department online and go through the credential broker service for authentication. SecureKey is launching with three of the largest banks in Canada–BMO Financial Group, TD Bank Group and Scotiabank–and plans to add more in the future.
Canadian citizens have a choice of whether or not to use the system. When they visit a government site they can choose to create a new login that is unique for the government application or use their banking information. If they choose the latter they are directed back to the bank site, asked to login and provide required identification information. Once verified, they are able to use the user name and password from their bank for access to the government site.
When a user authenticates with their bank, the bank will give SecureKey a non-identifying security token. SecureKey then substitutes the token with a new non-identifying but unique token for the Government of Canada that says the user has been authenticated.
The CBS service is ‘triple-blind’ so no party to the transaction knows who has provided precisely what, thus ensuring the user’s privacy. SecureKey is simply a broker of anonymous credentials. The Government is responsible for ensuring that it is you accessing your information. The bank is responsible for providing a valid security “token” that only you have so that you connect to Government services more securely.
Boysen says they’ll start with things consumers already have–a user ID and password. But other more secure options are also available including contactless payment cards and contact EMV cards. One of the bank partners issues contactless smart cards in the market. “We’ll use our SecureKey reader so that users will be able to tap a credit card in addition to a password and get access that way,” says Boysen.
The contactless reader houses a secure chip and looks like a USB flash drive. “Tap the credit card on our reader and we’re able to get a message from the card which we authenticate with the bank,” says Boysen. “Then the consumer will enter their online ID and password … we return them to the government service and the user is authenticated.”
Privacy is paramount
For the brokerage service to be successful, users must be convinced that their information is private and safe. Boysen says the interest of the banks is to serve customers and not be invasive. He says users should find comfort knowing that any authentication solution relating to consumer information must get the approval of the Privacy Commissioner of Canada.
“For anybody who is skittish or worried that this is a bad idea, the Government of Canada will provide an alternative,” says Boysen. “If you want to have a special purpose Government of Canada account, you can do that. But for those people that believe that this is actually being done for their convenience and it is being done in the right way with the oversight of the Privacy Commissioner, they have a more convenient way to get access to services online.”
The service is part of Canada’s Cyber Authentication Renewal initiative. Boysen thinks it could also be a solution for the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). “There’s no reason that this model couldn’t work there,” said Boysen. “The federal government can rely on the authentication results, and the banks get identity credentials that they need so badly to help provide better service online and thwart identity theft.”
In the end, the goal is to provide an efficient, effective mechanism for consumers to safely identify themselves online. “We’re trying to work with the most trusted players in the economy,” Boysen explains citing governments, banks and eventually telecom companies.
Brooks agrees, adding that the Internet is crying out for this kind of solution. “Government organizations are getting a bit desperate to find services and solutions that don’t reinvent the wheel, that they can just pick up and run … and that are proven,” she says.
SecureKey expects the credential broker service to go live by mid-2012. It will be available for all Government of Canada departments and agencies. The service is free for Canadians with the cost being borne by the government.