Service Canada now uses the SecureKey Concierge identity broker service. This new service allows Canadians to access services using their online banking credentials. This may be the first federated identity implementation in Canada targeted at citizens. Until now, Fed ID implementations have been limited to higher education and industry federations.
Here is a screen-by-screen walk-through of how Service Canada’s site can be accessed using SecureKey Concierge and a citizen’s bank account. (Please excuse the image sizes [click to enlarge].)
1. First, from the ‘Access My Service Canada Account’ page, the link to SecureKey Concierge (SKC) is easy to locate near the bottom of the page:
Note that the government has kept their own Access Key as a login option.
2. Clicking on the SKC login brings up the SKC discovery service. It is here where you select your preferred identity provider from a list of bank services:
3. Select your bank from the list. The service then redirects to a customized bank login page (Scotiabank in my case). Note that this page is different than the bank’s regular online login page – the look, content and URL are different.
4. Note that the SKC logo is carried through to this page. Once I login — and yes, this is the exact same credential as I use with Scotiabank — I was sent to the SKC terms and privacy notice:
5. The terms and conditions can be found here. When you ‘Accept and Continue’ you are returned to a Service Canada page:
6. This page confirms which credential the user is to use, and offers to convert an Access Key credential to the SKC credential. Next:
7. Now, Service Canada lets you know what is upcoming, and informs you of various privacy and service terms. Once you get past this page, you arrive at their enrolment/registration form: 
This is where Service Canada enrols you into their service by asking for selected shared secrets: SIN, DoB, an access code and your province of residence. Note that your name is not passed in from SKC, and it appears that your name is not needed on this screen to confirm your identity.
(Also note the use of the term ‘authentication’. I’d prefer they use ‘enrolment’ but I suppose for users of this service it doesn’t really matter all that much…)
8. Finally, upon successfully entering this information you are rewarded with a lengthy privacy notice and terms page:
9. Accepting terms here results in the main Service Canada service page being displayed (with links to your personal information):
In summary:
- Service Canada provides an SKC login option.
- SKC allows the user to select their bank login from a discovery service (page with list of partnering banks).
- The bank login page is a modified version of what the user is familiar with. The user logs in using their regular online banking credential.
- SKC’s terms are displayed and agreed to by the user.
- Service Canada then takes over and walks the user through service-specific enrolment pages.
- The user accesses the service.
Time for me to complete: 5 mins, 18 seconds.
Once enrolled using the above steps, returning to the service is simpler because the link between your bank credential and the service is maintained. This link is anonymized so that the bank is not aware of what service you accessed, and Service Canada doesn’t know what bank credential you used.
When returning to the service page, select the SKC login option. Select your bank and login. You then get access to the service without being prompted for enrolment information.
Aside from the technology and user experience, there is a lot going on here. Join the discussion at LinkedIn – Canadiam.
Updated: Click here for the SecureKey interview…
Mike
