Service Canada and SecureKey Concierge

Service Canada now uses the SecureKey Concierge identity broker service.  This new service allows Canadians to access services using their online banking credentials.  This may be the first federated identity implementation in Canada targeted at citizens.  Until now, Fed ID implementations have been limited to higher education and industry federations.

Here is a screen-by-screen walk-through of how Service Canada’s site can be accessed using SecureKey Concierge and a citizen’s bank account.  (Please excuse the image sizes [click to enlarge].)

1. First, from the ‘Access My Service Canada Account’ page, the link to SecureKey Concierge (SKC) is easy to locate near the bottom of the page:

Note that the government has kept their own Access Key as a login option.

2. Clicking on the SKC login brings up the SKC discovery service.  It is here where you select your preferred identity provider from a list of bank services:

3. Select your bank from the list.  The service then redirects to a customized bank login page (Scotiabank in my case).  Note that this page is different than the bank’s regular online login page – the look, content and URL are different.
4. Note that the SKC logo is carried through to this page.  Once I login — and yes, this is the exact same credential as I use with Scotiabank — I was sent to the SKC terms and privacy notice:

5. The terms and conditions can be found here.  When you ‘Accept and Continue’ you are returned to a Service Canada page:

6. This page confirms which credential the user is to use, and offers to convert an Access Key credential to the SKC credential.  Next:

7. Now, Service Canada lets you know what is upcoming, and informs you of various privacy and service terms.  Once you get past this page, you arrive at their enrolment/registration form: 

This is where Service Canada enrols you into their service by asking for selected shared secrets: SIN, DoB, an access code and your province of residence.  Note that your name is not passed in from SKC, and it appears that your name is not needed on this screen to confirm your identity.

(Also note the use of the term ‘authentication’.  I’d prefer they use ‘enrolment’ but I suppose for users of this service it doesn’t really matter all that much…)

8. Finally, upon successfully entering this information you are rewarded with a lengthy privacy notice and terms page:

9. Accepting terms here results in the main Service Canada service page being displayed (with links to your personal information):

In summary:

  • Service Canada provides an SKC login option.
  • SKC allows the user to select their bank login from a discovery service (page with list of partnering banks).
  • The bank login page is a modified version of what the user is familiar with. The user logs in using their regular online banking credential.
  • SKC’s terms are displayed and agreed to by the user.
  • Service Canada then takes over and walks the user through service-specific enrolment pages.
  • The user accesses the service.

Time for me to complete: 5 mins, 18 seconds.

Once enrolled using the above steps, returning to the service is simpler because the link between your bank credential and the service is maintained.  This link is anonymized so that the bank is not aware of what service you accessed, and Service Canada doesn’t know what bank credential you used.

When returning to the service page, select the SKC login option.  Select your bank and login.  You then get access to the service without being prompted for enrolment information.

Aside from the technology and user experience, there is a lot going on here.  Join the discussion at LinkedIn – Canadiam.

  Updated: Click here for the SecureKey interview…


Personal data and a new business model


Instead of thinking of the digital data as something collected by others and somehow used against you, it becomes a mechanism for you to get companies to send you information about things you actually want to buy.

Wordle of, located in the Washington, DC area, have built a personal data service that encourages users to enter personal information into Personal’s cloud-based vault.  The service allows people to organize their data into ‘gems’, then send this information to family, friends and business associates.  Here are some quick-hit videos that explain the company and the concept.

I have direct experience with personal data vaults and, frankly, the uptake on this type of service is currently poor.  It may well be a generational thing, and perhaps time has to pass before enough people will trust a cloud service with their secrets.

But I think that the real obstacle for existing personal vaults may well be the current ‘user pay’ business model.  People don’t see the value in a paid-for personal data service — but could they use a service that allows them to control and sell their own personal data?

Personal’s model anticipates a future where advertisers will seek out personal data from prospects and pay for the information.  Personal is hoping to capitalize on this by becoming the  broker for millions of personal data transactions, and take a percentage of the transaction fees as commissions.  We — as rightful owners of the data — get the rest!

Is this the future of personal data? Are we seeing a move away from intrusive data collection for the service operator’s profit alone (the Google and Facebook models) to a world where we own, control and reap the benefits of our own information?


IAM for the smaller enterprise

My clients find identity solutions to be complex and costly to implement.  For mature and/or large enterprises, these issues are simply a cost of doing business — and compliance or online strategic drivers are usually sufficient to fund and launch an IAM initiative.

For the smaller enterprise there appear to be two paths followed: do nothing or do it poorly.  When done poorly, shoddy IAM implementations  can result in poor credential management, lousy availability and inappropriate access controls.

So how does a smaller company or organization deal with identity properly? How can users be efficiently identified online without building expensive, custom solutions? What service levels and supports are possible for a login service when staff go home at 5pm? How can niche needs like strong authentication be met without excessive server license costs and complex implementations?

Enter the cloud.  Cloud-based IAM service providers are maturing and there are a number of solutions that offer the smaller organization solutions.  For example:

  • Symplified offers a full IAM service that promises plug-and-play integration with surprising depth, including support for mobile devices and apps.
  • PhoneFactor has a slick and secure solution for two-factor authentication that can be licensed on a per-use basis.
  • TransUnion have a robust identity proofing service for the critical process of confirming the identity of an online visitor.

Using one or more of these solutions allows for rapid deployment of IAM for smaller organizations.  The cost savings are considerable and services levels are beyond what most companies could hope to provide on their own.  There still remains integration work — applications need to be ‘plumbed’ to inter-operate with the cloud solutions — but all the heavy-lifting of designing and configuring a solution is eliminated.

The maturation of cloud IAM solutions means an increased number of companies can implement secure and compliant solutions without the long lead-times and high cost of traditional product-based offerings.  In this age of rampant data breaches and increased focus on compliance, this is a welcomed development.


Privacy at risk in Canada?

privacy commissioner concerned over new legislationAn important issue is being raised by our federal Privacy Commissioner around changes to legislation to combat online fraud and other crimes.  These changes look to be more than cursory — they would potentially create a legal environment where law enforcement can implement excessive surveillance on Canadians.

To quote Jennifer Stoddart’s letter to Vic Toews, the Minister of Public Safety:

By expanding the legal tools of the state to conduct surveillance and access private information, and by reducing the depth of judicial scrutiny, the previous bills would have allowed government to subject more individuals to surveillance and scrutiny.  In brief, these bills went far beyond simply maintaining investigative capacity or modernizing search powers.  Rather, they added significant new capabilities for investigators to track, and search and seize digital information about individuals.

This is an important issue, one worth paying attention to over the coming months.


Update: See the Privacy Law blog’s post and an editorial from Ann Cavoukian, the privacy commissioner for Ontario.

Europe vs Facebook

I’ve posted a few comments on Facebook’s poor behaviour in the past (as have many others), so I’m not surprised they are in the news again.

Kim Cameron’s take on the data abuse controversy unfolding in Europe is pretty good — and the videos are even better!  I like this (translated) quote:

“No KGB or CIA has had 1200 pages about an average citizen…”

Indeed.  So what is in your 1200 pages?


IAM project risks

Implementing Identity & Access Management solutions can be complicated.  There are a wide range of features, technical inter-dependencies and business issues to be managed.  Cost, schedule and scope issues can all result in project problems.

My first experience actually managing a large IAM project came in 2003.  At that time the solutions were clumsy and the technical resources simply weren’t that strong.  Today the product suites for IAM are much more capable, but there remain a number of risks to manage:

  • Resourcing — Good people can be hard to find and you’ll want some good quality business analysts and at least one ‘go-to’ technical architect.  Avoid resourcing risk by looking for these people early and once you get them in place, be sure to keep your core team happy.  As you move along, try to cross-train the team members and document the solution — doing this will significantly reduce the risk to the project should a key person leave unexpectedly.
  • Management Support — Don’t just give your boss a status report every week and think you’ve earned her support.  Keep the communications flowing and be sure to celebrate successes and continually emphasize key benefits.  Hit your dates, deliver as expected and people will notice.
  • Technical — IAM’s complexity comes from integration, and while standards like SAML are well established, there is going to be customization required to get the solution working within an enterprise environment.  With customization comes complexity and inevitable technical hurdles.  Reduce project risk by tackling these head-on: identify the problem early and if the technical team is stumped, bring in the vendor experts.
  • Scope Creep — Where possible, I try to keep the scope small to reduce complexity and to ensure the team delivers something every six months.  If your scope does creep, it is on a smaller base of work and is much more obvious — and manageable.  For bigger scope issues, communicate early and stop reporting ‘green’ status.  If you don’t have clear scope you need to stop and resolve — don’t just assume you’ll fit it into the workplan.  Another sure fire way to manage risk related to scope is simply to drop less critical functions.  For example, if the scope creep is related to the administration component, perhaps drop the lower priority reports — they can always be built later, either as part of some follow-on project or by the operational support team.
By following some of these tips you can better manage schedule, scope and cost issues on your project.  For more information, contact us and ask about our IAM project delivery services.

Legal obligations and identity

Let’s start by stating the obvious: identity management systems must abide by provincial/state and national laws.  An IAM assessment needs to identify the laws and legislation that govern the organization to ensure identity-related systems are appropriately structured and legally compliant.

legal review of identity management IAM assessment(Disclaimer: I’m not a lawyer, not even close… I don’t even watch Law and Order anymore! Please consider this article general information only.  For some actual legal opinion, check out the Canadian Privacy Law Blog.)

When implementing an IAM system, a review of the legal aspects of identity is important.  Issues can arise when identity management systems do not consider the legal requirements.  For example, privacy legislation may put limits on what type of information an organization may collect and store (e.g. sensitive personal information).  Or there may be legal limits on how information is shared, or how a user is notified about identity information sharing.

On the flip side, misunderstandings about what legislation allows and disallows can lead to poor user experiences or systems with reduced functions.  In one case, I was developing an identity strategy for a client who is subject to some fairly specific privacy legislation.  We wanted to share identity information between business applications and with other partners.

Several senior people in the sessions insisted that the act disallowed this type of information sharing.  I knew there were restrictions so I sifted through the actual privacy legislation to be sure.  I was surprised to find that the restriction was not as severe as the group thought.  The act stated that the intended use of personal information needed to be clearly stated, and that the individual needed to consent to this use.  This clarification allowed the group to create a framework for collecting identity information for a specific use, collecting consent from their users, and then sharing the identity information within the stated use.

By including a legal review in an IAM assessment or solution project, clients can have confidence that their systems are compliant with their obligations.


Authenticating those youngsters

IAM consulting for mobile authentication solution
Why can’t a device replace a password?

I had a really interesting conversation with a client last Friday.  I’ve helped them to build a public-facing identity management system for access to a range of web applications.  It has been running for over two years and has (literally) hundreds of thousands of users.

The chat went something like this…

CIO: As you know, our users are a bit of a younger demographic, and we’ve been noticing lately that they are having trouble remembering their usernames and passwords.

Me: Well, we’d expect them to use the forgot user ID or forgot password links on our login page…

CIO: But they don’t. Or if they do use those links it is confusing to them. We are seeing a spike in help desk calls.

Me (mystified a bit): Ummm… why is that? We use a pretty standard web page with links for these functions.

CIO: Yes we do. However, an increasingly large segment of our user base has grown up with smartphones, not browsers. They are used to apps and auto-remembered credentials.

Me (feeling elderly): Oh.

CIO: So what we need is a way to login to both web apps and device apps using just the mobile phone.

Okay, so it took a few minutes for this to sink it, but I get this. Younger users use mobile phones and apps predominantly, and the web browser experience is not the same for them as it is for us oldsters.

My own teen-age kids are proof of this — texting is definitely preferred over email, and I think I saw my 15-year old daughter tear-up last year when I upgraded her iPhone to a full data plan…

Teens, it seems, are most comfortable with a device.  And that device presents information and services differently than a web page does.  So differently in fact that it poses problems for authentication. This is really interesting…

There are two use cases to explore here.

  • The first is the identity-aware app.  The app needs to authenticate the user in a way that is consistent with best-practices for protecting sensitive information.  It can’t just provide access without authentication because that would be against policy and create risks of breach that aren’t acceptable.  But it does need to be seamless and easy — because that is the way of the app, right?
  • The second case is web login without username and password… Interestingly, a user ID / password combination is only single factor (something-you-know).  The replacement of this standard approach with something-you-have, i.e. a mobile device, shouldn’t be that hard.  For example, a user who has pre-registered their phone with us could get a one-time code sent via SMS to the phone.  They could then enter the code in order to authenticate.  No more forgotten passwords, no need to remember what username I picked.

Can these use cases be met within the policies and best practices established by enterprises? Or do we need to reconsider our approaches in light of a changing demographic?