Identity Ecosystem Use Cases: Government-to-Citizen Services   Christian Ali   Vice President, Solution Engineering   SecureKey Technologies

2

•  Stakeholders/Participants •  Leveraging Existing Credentials (IDPs) •  Levels of Assurance (LOA1-4) •  Technology •  Privacy Considerations •  User-centric Use Cases

Overview

3

Development of ID Ecosystems

Increased  Security   Lower  Cost  

User  Convenience  

Privacy  Enhanced  

My Bank Ontario App

Personal Applications Work Applications

Everything is an online app

At home and work, the number of online applications we use are growing.

My Bank Ontario App

Passwords are proliferating

Personal Applications Work Applications

Each new application brings its own password.

Top-of-mind Credentials Forgotten Credentials

My Bank Ontario App

Passwords are proliferating

Personal Applications Work Applications

Each new application brings its own password.

Only a few credentials will be top-of-mind. These will be used daily.

Others will be forgotten.

Which brands will be top-of-mind?

Who will people choose as their trusted credential partner?

•  All of these brands currently offer strong 2-factor authentication

•  Few brands offer the KYC, the trust or the deep relationship clients trust for important services like government, healthcare, etc.

8

BYOC Removes Friction

9

Banks as IDPs

  Trusted Brands   Secure systems   Know Your Customer

(KYC) regulations

  127 Government applications   22 Subscriber Integrations   CRA (IRS in CA)   Launched Apr12; Ramp Aug12   <8 months contract to launch   Privacy Enforcing: Triple Blind   Improved user experience   National Standard   …expanding to Province, City

Concierge

8/6/13 11:21 PMCUETS.jpg 183×43 pixels

Page 1 of 1https://www.kawarthacu.com/SharedContent/images/CUETS.jpg

Credential Providers Frequently Used Trusted Credentials

Credential Subscribers Infrequently Used Services

SAML SAML

Credential Broker Privacy Enhanced

10

Simple User Experience

1

2

11

A simple process with 2 user steps

User selects a bank from the list of available Sign-In Partners.

At the bank site, user completes their normal sign-in process.

Transparently, the bank retrieves (or generates and stores) a unique number to represent this user.

The user is signed in to the web application. (If this is the first time the user has signed in with this credential, enrollment activities may occur.)

Government Service Site

briidge.netExchange

Bank Site

Transparently, Exchange initiates the sign on request, shielding the bank from knowing the source web application.

Transparently, Exchange retrieves (or generates and stores) a unique identifier that will be used to represent this user to the web application. A different unique number is generated for each application.

1 2

Privacy Enhancing Broker

12

Privacy by Design

Ensuring Privacy by Design The system generates and stores a different anonymous identifier for each web application.

12345

ABCDDDEE

12345 ABCDE

User record

Bank

CRA

AADDFEE Service Canada

13

Another Approach to IDPs

http://www.idmanagement.gov/approved-identity-providers

Little or no confidence in asserted identity

Approved IDPs: Google, PayPal,

VeriSign

Some confidence in asserted identity

Approved IDPs: Virginia Polytechnic

Institute and State University (LOA 1 & 2)

High confidence in asserted identity

Approved IDPs: Symantec, Verizon (LOA 1, 2 & non-PKI 3)

Very high confidence in asserted identity

Approved IDPs: PIV/ PIV-I Cards

NIST LOA 1

NIST LOA 4

NIST LOA 2

NIST LOA 3

•  Leverages industry-based citizen credentials •  Identity Providers (IDPs) are certified using FICAM privacy and security criteria

14

FCCX Overview

Federal Cloud Credential Exchange (FCCX) enables the NSTIC vision by allowing agencies to securely interact with a single “broker” to authenticate consumers

Market Problem (Government)

The Solution (FCCX)

FCCX

15

FCCX Privacy Enhancing Broker

FCCX privacy enhancing broker with unique security attributes that: •  Built to support citizen access to government services •  Privacy considerations are paramount in design •  Uses Identity Providers (IDPs) for authentication and basic attributes •  Multi-protocol (SAML, OpenID, PKI) •  Enables Attribute Providers (APs) to provide additional attributes to RPs

Privacy Enhancing Broker

High Level Flow

17

User-controlled attribute sharing

•  User provides consent to each attribute request •  User control is granular

18

Exchange enables end-user attribute exchange   For example, name, email, health record stored at CP are delivered to RP

Exchange attribute consent policy can be tailored to a deployment:

  Informed consent (display attribute values & names in explicit page)   Release consent (display RP name & scope in explicit page)   Implicit consent (display RP name & scope in selector)   Disable consent (consent not managed by Exchange)

Attribute Exchange

18

By pressing allow you are consenting to release the following attributes to MyGov

By pressing allow you are consenting to release your demographics information to MyGov each time you sign-in

MyGov is requesting demographics information. Please select a sign-in partner to continue

John Doe John@doe.com 123 anytown Rd. June 10, 1975

Informed Consent Release Consent Implicit Consent

Allow Allow

19

Why this approach? Requirements Benefits Enable 3rd party credential usage •  Makes sign in faster

•  Improves adoption of online services •  Reduces operational costs

Privacy by Design •  No ‘honeypots’ of sensitive information •  Capable of Triple-blinded – no party holds the

complete picture of user and user actions

User-controlled attribute sharing •  User has fine-grained control over all attribute sharing

Simple Integration using SAML2 •  Credential Provider integrates once to any number of federations

SSO configuration •  Enables SSO across all applications or subsets

LOA management •  Each application can have it’s own LOA requirements

•  LOA policies set at the federation level

Use common credential standards (PIV, PIV-I, OpenID SAML2)

•  Works for US & Canadian government credential schemes

 Smart Card Alliance  191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828  www.smartcardalliance.org

Speaker Contact Information