Recent IAM reading…

I didn’t blog or even tweet much over the holidays, but I did manage to catch up on a few good posts and articles while lazing around…

  • The Quest to Replace Passwords — Extensive report on challenges with replacing password (HT@aniltj).  The table on page 11 is worth a good study for anyone interested how various password-less authentication options stack up.
  • Identity Management on a Shoestring — An excellent report on how to implement IAM in an enterprise without spending years/millions.  Uncanny resemblance to work I’ve been involved with in the past several years, i.e. customized implementations that are not constricted by the cost and complexity of COTS solutions.
  • Economic Tussles in Federated Identity Management — Another excellent paper, this time on the economic issues related to Fed ID.  Points out how successful implementations occur when IdPs, SPs and users all receive benefits.
  • OASIS Identity in the Cloud Use Cases — A list of 29 use cases that are a solid reference for future IAM projects that involve cloud services.  (HT to @RBsTweets.)
  • Gov’t of Canada SecureKey page — A summary of SecureKey and the Canadian federal organization and legislation that supports its implementation.  Would be nice to see a link to the PIA…

These should get your new year off to a good start – happy 2013 everyone!

Mike

e-Voting and Identity

In my own city, Edmonton, they have been talking up e-voting for a while now.  There was an announcement yesterday that a pilot project is being conducted to validate the process of running an online election.  (More information can be found here and here.)

First of all, I think that this is exactly the type of pilot project that governments must run to be progressive and forward-thinking.  These types of initiatives are high value, not just to validate a solution for this defined need, but for the organization’s other online initiatives.  And the proposed e-voting identification process is an interesting one…

To be frank, I don’t have e-voting very high on my personal list of municipal problems to be solved, BUT I do have a keen interest in how people are identified online.

The City’s new project has an identity proofing process for this pilot project.  It includes a unique method of collecting identity proofing documents that I haven’t seen before: citizens scan (or take a picture of) their real-world identification, then upload it to the City’s website.  Allowed documents include drivers license, passport, Canadian military cards, etc. (see sidebar).

The image of the identification document is then reviewed manually by employees in the elections department and presumably compared to lists of eligible voters. Only when the document matches up with a previously registered voter will a credential be issued to the citizen for voting purposes.

This approach is convenient to citizens, or at least those that are savvy enough to scan a document and upload it to a website (which is probably a pretty high percentage of those that will consider online voting).

But whenever I see ‘convenience’ cited as a reason to do something online, I can’t help but look for the security and privacy compromises required to make that thing convenient.  On first review (I haven’t done a deep dive s feel free to correct me!) here are a few things that might be compromised by such a process:

  • How does the process ensure that the citizen is in control of the document at the time e-voting registration takes place?  For example, the passports for a household might be stored in a filing cabinet.  Let’s say one member of the household is politically active and the rest don’t vote at all.  How difficult would it be for the one family member to round up the passports and create multiple e-voting credentials?
  • There may be a privacy issue here.  Scanned identification documents contain a payload of sensitive information.  My passport has my legal name and birthdate — two attributes that are useful for the voter vetting process.  But it also contains my passport number, my place of birth and my citizenship.  None of these attributes are needed by this process, and should not be collected and stored as part of the process. (Update: The City’s 311 service has informed me that the data will be stored in Canada and destroyed no later than December 31, 2012. Also, only authorized personnel can view the data and they are subject to confidentiality agreements.)
  • Finally, how can one be sure that the scanned identity document has not been digitally tampered with? Paper and plastic documents have physical safeguards to increase reliability.  For example, the Alberta drivers license has a hologram on it and ‘declined width text wave’ feature (and these are just two of a dozen security features).  How do these features translate to the scanned image? Assuming many of these features do not translate well, how well does the scan of the document actually prove the citizen’s identity? As a comparison, would such a scan, subsequently printed, be acceptable as ID at the polling station?

It will be interesting to see how these and other challenges of e-voting will be overcome in the coming months.

Mike

SecureKey — The Interview

Andre Boysen is an Executive Vice President at SecureKey Technologies Inc., the Toronto-based technology company that is working with Canadian governments and business on next-generation identity management solutions.  With the backing of Intel, Telus and Visa (among others) SecureKey looks to make a big splash in the world of secure payments and online identity.

SecureKey Concierge is a credential broker solution that allows government web sites to use banking credentials.  With SecureKey Concierge, government sites can take advantage of existing banking credentials in a secure and privacy-protected way.

I had the chance to interview Andre last week.

Code Technology: Tell us a bit about what SecureKey Technologies is all about.

Andre Boysen: SecureKey is in the business of making online authentication easier, that’s basically what we are trying to do.  We got started helping banks to solve ‘card not present problems’ — this type of fraud went to zero with the introduction of chip cards and PINs.  But it still is an problem on the Internet – anyone finds your credit card number and billing address basically they can start ordering stuff.  It’s hard for the banks to figure out who’s real and who’s not.

We noticed that banks were moving to contact-less chips (based on near-field communications or NFC) in order to speed up things.  With NFC for quick purchases like papers and coffee, the customer just has to tap the card, no need to enter a PIN.

We saw the opportunity to use this technology to do payments on the Internet.  We have built an NFC reader and the concept is that you can have this reader on your computer, at home, and when you want to buy something on the Internet, instead of typing in a card number you just tap your card on the reader and pay that way.

One of our strategies is to get our technology embedded into all consumer electronics.  Intel is a significant investor in SecureKey and all the Ultrabooks coming out actually have our NFC reader built in.  And we are working to get it embedded in cell phones.

Code: So how does this technology lend itself to the direction you have taken with SecureKey Concierge?

Andre: So, yes, that’s a good question… Part of this is that we noticed that we are all drowning in user IDs and passwords.  And the problem for governments is that they know who I am on paper but they don’t know me in person, and when I show up on the Internet they have a hard time knowing it’s me.  The solution in the past is for the government to roll out their own credential — the current incarnation is called Access Key.  But (for higher-value transactions) that includes installing software on my computer and with all the support costs related to this, the government realized that serving me online is much more expensive that serving me in person…

The federal government’s idea was to delegate authentication.  An RFP was issued looking for proposals with 10,000,000 subscribers and at least three credential service providers.  SecureKey, partnering with three of the largest Canadian banks, was the only respondent.

Code: Why are the banks interested in this?

Andre: Their primary motivator is that they want to see identity move online. Banks want customer identities, today largely based on the provincial drivers license, to be verifiable.  With SecureKey’s model four key players will participate: federal government, provincial government, banks and telcos.  These four players have a critical role in the consumer’s life.  The federal government can set standards and leverage its buying power in a way that individual provinces can’t.  The provinces are the source of identity — birth certificates and the licenses we carry around in our wallets.  But the problem is that we don’t deal with the province very often; it’s rare that we have to talk with them and this makes it hard to authenticate online.

This is where the banks come in.  They have a very tight relationship with 98% of Canadians — they see their customers often and know them well.  By participating in SecureKey, the banks will get better digital identities, which will help them when accounts are opened.

To take this further, BC is launching new services card and drivers license with an NFC chip inside.  This is compatible with SecureKey technology and will make it easier to conduct secure transactions related to provincial programs.

What the telcos bring to this is something that Canadians always have in their pockets — their phones.  We are working to get phones and carrier networks working with the system as well.

Code: What is the typical use case SKC is looking to solve?

Andre: Any Canadian who wants quick and convenient access to any federal government service can use their bank account to gain that access.

Code: Can you confirm for us the high-level architecture? Is it primarily an identity broker service that sits between the IdP and relying party?

Andre: No, it is better described as a ‘credential’ broker service because there is no identity information passed. The government never gets the unique MBUN  (meaningless but unique number), only a service-specific number.  There is no information about the user passed to the government other than they are an authenticated bank user.  The government does its own enrolment and identity verification.

Code: Is SecureKey Concierge based on SAML?

Andre: The service is based on SAML 2.o and has support for older versions of SAML and Shibboleth.  OAuth and WS-Trust are planned.

Code: How can the service support an investigation?

Andre: It is important to point out that SKC has a privacy-enhanced design — triple blind.  No one participant has a complete picture of the transaction.

Each bank produces an anonymous MBUN for each customer. The banks will pass the MBUN to SKC during authentication. Our service will log any transactions completed in the session against the MBUN.  To preserve anonymity between services SKC will further anonymize the MBUN for each relying party service and SKC will pass a unique number called the Persistent Anonymous Identifier to each RP.

Event tracking is supported.  So let’s say CRA comes to us and says we have an event here and we need to do an investigation.  Keep in mind that the ‘handle’ we give to the RP is the Persistent Anonymous Identifier (PAI).  CRA can provide us with this number and we can provide the event logs that relate to that PAI.  If this isn’t sufficient, we can use the MBUN to go to the banks and get the details of the authentication event from them. Of course, it depends on how serious the issue is — if it is a judicial enquiry there will be more disclosure, but for other investigations we will keep the ‘privacy veil’ on.

For a compromised account, the bank is going to shut it down and the government won’t see that account again.  It is worth noting that banks have pretty sophisticated systems for detecting problems, so breaches are pretty rare events.

Code: Can you share with us the attributes that are passed between the bank and the government site? From my recent use of the service, I couldn’t tell if the bank asserted my name information.

Andre: Only PAI is passed. Name info is not passed. Note that each service (relying party) does own enrolment and may collect name.

We are all about consumer convenience, choice and privacy control. This service is very user-centric. Users are presented options to approve any information via on-screen prompts.  To facilitate this, SecureKey Concierge will have a set of templates to allow RPs to collect pre-determined ‘bundles’ of information.  The RP will use these templates to collect all the info consistently from a provincial card or bank record.

This broker concept becomes even more important as we move into sharing identity attributes.  We want to make sure we continue to support minimal disclosure.

Code: I’ve worked on citizen identity for a while now, and there is always the challenge of keeping up with their preferences and ‘life-changes’.  How does the SKC service manage changes to the citizen’s banking credentials? Let’s say I decide to switch banks, but want to keep my access to the Service Canada site in place. Is this possible?

Andre: Yes, a bank account change can be made via a the ‘Switch My Sign-In Partner’.  The process requires that you have control of both bank accounts in order to make the switch.

Code: The SecureKey Concierge two-factor solution looks to be a bit of a game changer for high-value and/or high-risk transactions.  Where do you see this technology being adopted in the online government-to-citizen space?

Andre: Enterprise authentication is something we can do. SecureKey is trying to make it easier for employees using their access badges. We see healthcare and government and finance are three verticals we are targeting, all with needs for strong authentication.

Code: How are things going? Has interest in SecureKey Concierge started to pick up? Have you seen interest in the service outside of the federal government, BC and Alberta?

Andre: We launched with the government of Canada in April, and have 15 agencies/departments online today.  Two bigger departments, HRDC and CRA, are set to launch this fall.  We expect that by the end of 2012 we’ll have the bulk of Canadian departments online with SecureKey Concierge.

As for other interest — there is nothing we can share just yet! But ‘wrapping up Canada’ (all remaining provinces) is the current goal.  We also want more credential service providers including partners from outside of the banking sector.

Code: Thanks for your time today Andre.

Andre: You’re welcome!

Service Canada and SecureKey Concierge

Service Canada now uses the SecureKey Concierge identity broker service.  This new service allows Canadians to access services using their online banking credentials.  This may be the first federated identity implementation in Canada targeted at citizens.  Until now, Fed ID implementations have been limited to higher education and industry federations.

Here is a screen-by-screen walk-through of how Service Canada’s site can be accessed using SecureKey Concierge and a citizen’s bank account.  (Please excuse the image sizes [click to enlarge].)

1. First, from the ‘Access My Service Canada Account’ page, the link to SecureKey Concierge (SKC) is easy to locate near the bottom of the page:

Note that the government has kept their own Access Key as a login option.

2. Clicking on the SKC login brings up the SKC discovery service.  It is here where you select your preferred identity provider from a list of bank services:

3. Select your bank from the list.  The service then redirects to a customized bank login page (Scotiabank in my case).  Note that this page is different than the bank’s regular online login page – the look, content and URL are different.
4. Note that the SKC logo is carried through to this page.  Once I login — and yes, this is the exact same credential as I use with Scotiabank — I was sent to the SKC terms and privacy notice:

5. The terms and conditions can be found here.  When you ‘Accept and Continue’ you are returned to a Service Canada page:

6. This page confirms which credential the user is to use, and offers to convert an Access Key credential to the SKC credential.  Next:

7. Now, Service Canada lets you know what is upcoming, and informs you of various privacy and service terms.  Once you get past this page, you arrive at their enrolment/registration form: 

This is where Service Canada enrols you into their service by asking for selected shared secrets: SIN, DoB, an access code and your province of residence.  Note that your name is not passed in from SKC, and it appears that your name is not needed on this screen to confirm your identity.

(Also note the use of the term ‘authentication’.  I’d prefer they use ‘enrolment’ but I suppose for users of this service it doesn’t really matter all that much…)

8. Finally, upon successfully entering this information you are rewarded with a lengthy privacy notice and terms page:

9. Accepting terms here results in the main Service Canada service page being displayed (with links to your personal information):

In summary:

  • Service Canada provides an SKC login option.
  • SKC allows the user to select their bank login from a discovery service (page with list of partnering banks).
  • The bank login page is a modified version of what the user is familiar with. The user logs in using their regular online banking credential.
  • SKC’s terms are displayed and agreed to by the user.
  • Service Canada then takes over and walks the user through service-specific enrolment pages.
  • The user accesses the service.

Time for me to complete: 5 mins, 18 seconds.

Once enrolled using the above steps, returning to the service is simpler because the link between your bank credential and the service is maintained.  This link is anonymized so that the bank is not aware of what service you accessed, and Service Canada doesn’t know what bank credential you used.

When returning to the service page, select the SKC login option.  Select your bank and login.  You then get access to the service without being prompted for enrolment information.

Aside from the technology and user experience, there is a lot going on here.  Join the discussion at LinkedIn – Canadiam.

  Updated: Click here for the SecureKey interview…

Mike

Code Technology now on Facebook…

I have blogged and tweeted many times about Facebook’s deceptive privacy policy and ‘promiscuous’  identity information sharing practices.  The company has a track record of misleading its users about what personal information will be shared with advertisers and other users.  And personal profile details are being shared even wider (source: Matt McKeon), with an increased emphasis on pushing personal information out to the Internet.

I don’t like Facebook because Facebook have  not shown themselves to be trustworthy. So I have never setup a Facebook account.  I’m not among their 500+ million users.

But I recently figured out that you can have a company presence without the need to have a personal account.  So today I decided to setup a company page. My reason for doing so is simple: Facebook as a platform is rather important.  Without a page on Facebook, Code Technology is less visible to many hundreds of millions of people.  In fact, without a page, my business is invisible to those people who think Facebook IS the Internet.

On Code Technology’s Facebook page there will be links to this blog, an occasional update, identity management-relate pictures perhaps and possibly a video post.  What I won’t share is any personal info — the company hasn’t earned my trust (and likely never will).

Please visit the Code Technology Facebook Page and let me know what you think.  A ‘like’ won’t hurt…  🙂

thx, Mike

Blogroll update

It has been a while since I strolled through my own Blogroll… there is always good content in there worth sharing.

  • Mark Dixon is back blogging — here’s a great post on how to make a bad fake ID…
  • Patrick Harding has an interesting write-up on ADFS vs Ping terminology.  Interesting (to me) given that I’ve been working on an ADFS v2.0 project lately…
  • Kim Cameron also returns to blogging with a a new post — a video interview that delves into Identity Federation and the cloud.
  • Jeff Bohren has some criticism of Apple’s handling of the iPhone 4 reveal by Gizmodo.  Seems the ‘iPolice’ are confiscating first and asking questions later…
  • David Fraser the Canadian privacy lawyer offers up a balanced view of StreetView and privacy non-issues.

And finally:

Mike

IAM in 2010?

It has been a busy, busy past few months for Code Technology — new projects, new opportunities and a growing business.  This post provides an update on our project work with, necessarily, client names obscured:

  • Last fall, the  Identity and Access Management program that I’ve been leading for a large public-sector education organization paid some big dividends.  Over the past two years my team has been building an IAM system on top of Microsoft’s Active Directory Federation Services (ADFS).  The main work was actually completed over a year ago, and the first web applications with a few hundred users were launched.  But in October 2009 the wider deployment started and we now have over 35,000 users, with as many as 120,000 users to come online in just over three years.  By the end of 2010, we could have a dozen applications using the service, enabling access to the broader education sector in Alberta in ways that have previously been impossible.
  • We recently completed an IAM strategy and program development project for a very large organization (85,000+ employees) here in Alberta.  This enterprise has some compelling identity challenges and high security needs.  What is interesting is that we have been able to construct a strategic framework, then drive out enough detail to define individual IAM projects for inclusion into their overall information security program.  I strongly believe that defining strategy without a defined delivery program as part of the report is useless — how many strategies and architectures do we see that end up sitting on executive shelves? With this project completed, the client now has a clearly articulated strategy and a practical set of projects defined in a format that is easily understandable by business and technical decision-makers alike.
  • We have also been working to develop the Canadiam blog and online community.  So far we’ve managed to create the blog site, populate it with a few posts, create a Twitter hash tag (#canadiam) and setup a LinkedIn group.  We are always open to new commenters, guest bloggers and other contributions so if you are interested in this niche slice of Canadiana, visit the site and let us know!  At the very least, feel free to slap #canadiam on to any Tweets you have related to IAM in Canada.

There really seems to be an increased rumble in the IAM services space — I’ve been at this niche for over seven years and I don’t recall a time when there have been so many implementations in the works. Whether it be government, other public sector or for-profit enterprises, IAM seems to be on everyone’s mind.

In the past few weeks alone, we have had interest in Code’s IAM services from three different provinces — five different projects in total. And that’s just what a crossed my desk — there are at least three major IAM implementations being planned or being delivered in Alberta at present, renewed federal efforts to develop the Pan-Canadian framework, another major project in Manitoba and (from what I can gather) similar initiatives in the other western provinces.

There is a lot going on in the identity world.  Will 2010 be the year that IAM makes a big splash across the country?

Mike

 

Social Media Marketing

I’ve just signed up for the Social Media Marketing Bootcamp that is taking place in downtown Edmonton on September 9th.

The idea is to see how my own business marketing stacks up against the best practices that are emerging.  I’m already using the web, which of course includes many things now tagged as ‘social media’, and traditional media for marketing, but perhaps there is a set of practices and techniques that can help my business.

Maybe there is an identity angle to be discovered…

Update: no real identity angles, but a very worthwhile session — I learnt a lot about how to design and implement a social media program.  They are running this again in October but already are nearing capacity, so sign up today if you are interested!

Mike