identity ecosystem use cases: government-to-citizen...
TRANSCRIPT
Identity Ecosystem Use Cases: Government-to-Citizen Services Christian Ali Vice President, Solution Engineering SecureKey Technologies
2
• Stakeholders/Participants • Leveraging Existing Credentials (IDPs) • Levels of Assurance (LOA1-4) • Technology • Privacy Considerations • User-centric Use Cases
Overview
3
Development of ID Ecosystems
Increased Security Lower Cost
User Convenience
Privacy Enhanced
My Bank Ontario App
Personal Applications Work Applications
Everything is an online app
At home and work, the number of online applications we use are growing.
My Bank Ontario App
Passwords are proliferating
Personal Applications Work Applications
Each new application brings its own password.
Top-of-mind Credentials Forgotten Credentials
My Bank Ontario App
Passwords are proliferating
Personal Applications Work Applications
Each new application brings its own password.
Only a few credentials will be top-of-mind. These will be used daily.
Others will be forgotten.
Which brands will be top-of-mind?
Who will people choose as their trusted credential partner?
• All of these brands currently offer strong 2-factor authentication
• Few brands offer the KYC, the trust or the deep relationship clients trust for important services like government, healthcare, etc.
8
BYOC Removes Friction
9
Banks as IDPs
Trusted Brands Secure systems Know Your Customer
(KYC) regulations
127 Government applications 22 Subscriber Integrations CRA (IRS in CA) Launched Apr12; Ramp Aug12 <8 months contract to launch Privacy Enforcing: Triple Blind Improved user experience National Standard …expanding to Province, City
Concierge
8/6/13 11:21 PMCUETS.jpg 183×43 pixels
Page 1 of 1https://www.kawarthacu.com/SharedContent/images/CUETS.jpg
Credential Providers Frequently Used Trusted Credentials
Credential Subscribers Infrequently Used Services
SAML SAML
Credential Broker Privacy Enhanced
10
Simple User Experience
1
2
11
A simple process with 2 user steps
User selects a bank from the list of available Sign-In Partners.
At the bank site, user completes their normal sign-in process.
Transparently, the bank retrieves (or generates and stores) a unique number to represent this user.
The user is signed in to the web application. (If this is the first time the user has signed in with this credential, enrollment activities may occur.)
Government Service Site
briidge.netExchange
Bank Site
Transparently, Exchange initiates the sign on request, shielding the bank from knowing the source web application.
Transparently, Exchange retrieves (or generates and stores) a unique identifier that will be used to represent this user to the web application. A different unique number is generated for each application.
1 2
Privacy Enhancing Broker
12
Privacy by Design
Ensuring Privacy by Design The system generates and stores a different anonymous identifier for each web application.
12345
ABCDDDEE
12345 ABCDE
User record
Bank
CRA
AADDFEE Service Canada
13
Another Approach to IDPs
http://www.idmanagement.gov/approved-identity-providers
Little or no confidence in asserted identity
Approved IDPs: Google, PayPal,
VeriSign
Some confidence in asserted identity
Approved IDPs: Virginia Polytechnic
Institute and State University (LOA 1 & 2)
High confidence in asserted identity
Approved IDPs: Symantec, Verizon (LOA 1, 2 & non-PKI 3)
Very high confidence in asserted identity
Approved IDPs: PIV/ PIV-I Cards
NIST LOA 1
NIST LOA 4
NIST LOA 2
NIST LOA 3
• Leverages industry-based citizen credentials • Identity Providers (IDPs) are certified using FICAM privacy and security criteria
14
FCCX Overview
Federal Cloud Credential Exchange (FCCX) enables the NSTIC vision by allowing agencies to securely interact with a single “broker” to authenticate consumers
Market Problem (Government)
The Solution (FCCX)
FCCX
15
FCCX Privacy Enhancing Broker
FCCX privacy enhancing broker with unique security attributes that: • Built to support citizen access to government services • Privacy considerations are paramount in design • Uses Identity Providers (IDPs) for authentication and basic attributes • Multi-protocol (SAML, OpenID, PKI) • Enables Attribute Providers (APs) to provide additional attributes to RPs
Privacy Enhancing Broker
High Level Flow
17
User-controlled attribute sharing
• User provides consent to each attribute request • User control is granular
18
Exchange enables end-user attribute exchange For example, name, email, health record stored at CP are delivered to RP
Exchange attribute consent policy can be tailored to a deployment:
Informed consent (display attribute values & names in explicit page) Release consent (display RP name & scope in explicit page) Implicit consent (display RP name & scope in selector) Disable consent (consent not managed by Exchange)
Attribute Exchange
18
By pressing allow you are consenting to release the following attributes to MyGov
By pressing allow you are consenting to release your demographics information to MyGov each time you sign-in
MyGov is requesting demographics information. Please select a sign-in partner to continue
John Doe [email protected] 123 anytown Rd. June 10, 1975
Informed Consent Release Consent Implicit Consent
Allow Allow
19
Why this approach? Requirements Benefits Enable 3rd party credential usage • Makes sign in faster
• Improves adoption of online services • Reduces operational costs
Privacy by Design • No ‘honeypots’ of sensitive information • Capable of Triple-blinded – no party holds the
complete picture of user and user actions
User-controlled attribute sharing • User has fine-grained control over all attribute sharing
Simple Integration using SAML2 • Credential Provider integrates once to any number of federations
SSO configuration • Enables SSO across all applications or subsets
LOA management • Each application can have it’s own LOA requirements
• LOA policies set at the federation level
Use common credential standards (PIV, PIV-I, OpenID SAML2)
• Works for US & Canadian government credential schemes
Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org
Speaker Contact Information