2Keys provides IAM services to Canadian governments and financial institutions. This talk will cover recent progress in the use of identity attributes to provide secure access for external users to entitlements and on line services using ForgeRock technologies, as well as recent developments at the Digital ID and Authentication of Council of Canada (DIACC).
I suspect not many of you have heard of 2Keys, so I’ll give a brief introduction, then I thought I would start with the 10,000 foot view of the federal government’s strategy for a digital Canada, followed by details on a relatively new organization aimed and growing the digital identity space in Canada. I’ll also talk about the current state, introduce the emerging Pan-Canadian identity standards, walk through a proof of concept related to identity validation, and finish with an overview of what’s coming next.
Digital Canada 150 represents a comprehensive approach to ensuring Canada can take full advantage of the opportunities in the digital age.
Memory Project
- Creating a digital online record of the stories from our war veterans.
Public launch in May of 2014, and opened their doors to new members.
When a user accesses a protected resource, they are presented the chooser page to select their authentication method.
You’ll notice the *, while the service is privacy protecting, it does limit the the authentication context at the CSPs. For example, the CSP can still monitor the velocity of authentication requests, but without knowing the source, it can’t tell the difference between a an error at one relying partying causing the use to re-attempt the login, or a compromised account where the attacker is trying to hijack accounts at as many services as he can.
GCKey is an anonymous credential, where the user has complete control over creation and revocation. There is a sense of ownership.
Many users are non citizens without Canadian bank accounts.
Users may not be customers of one of the five financial institutions support
Financial credentials are not applicable to business related online services such as Record of Employment and eManifest
In Canada, there is not a strong relationship between financial institutions and the government, there is a tendency to use native credentials for native purposes
-The second reason (my reason) is there isn't a natural trust relationship between the banks and the government. (Some cynics would argue neither can be trusted!) The federation isn't natural, not in the way that InCommon/CAF is natural to higher education. My belief is that there must be a natural circle of trust, perhaps even when the credential is the only thing being federated (and in an anonymous way). This solution is missing that. A more natural federation might be with provincial gov't credentials/identities - and perhaps that is in the works with recent developments in BC.
And given that identity proofing must be repeated by each gov't agency, there are insufficient convenience motivations to overcome the lack of natural trust and use the partner sign-in. Getting a GCKey is a mild pain (one time) but once you have it why would you change? Easy recall of the more frequently used credential (from your bank) is the only reason and likely insufficient.
3rd party CSP are susceptible to social engineering breaches. There are many examples of breaches at banks and telcos by social engineering attacks through the service desks. Not sure who this could be done with GCKey, no PII available at the service desk. There is at the department level, but they have no access to the credential.
There is consideration being given to adding telcos as credential providers. In Canada, the major telcos are also in the television business. To access TV shows online, many networks no require you to authenticate with your providers credential to gain access to premium content. My kids are the biggest users of this, so they know credential, and guess what? So do their friends. So while the technical implementation of the credential provider may meet the LOA 2 requirements, the user’s value attached that credential is very low. You get a mismatch is value. The same is true with banking credentials, except it’s the inverse. I attach more value to the credential, and don’t want to use it for anything but banking.
Personal Information
Information about an identifiable person
Identity Information
Sufficient to ensure uniqueness within a service
Minimal setup of attributes required by the service
Identifier
Minimal setup of attributes to ensure uniqueness
Identity
Collection of attributes about a unique entity
Assigned Identifier
- Generated unique identifier linked to an identity
The final piece of the proof of concept dealt with real-time user notifications. This utilized the 2Keys Transaction Verification Service and the 2Keys Smart Token mobile application. When a request is received, a real-time push notification message is sent to the mobile app, the user is presented with the details and asked to approve or decline the request. We believe this service will be a great companion for an UMA authorization server. Consider the classic Alice to Bob sharing use case, now Alice does need to pre-provision the sharing policy, she can approve it in real-time when Bob is ready to use the data.
Distributed does not preclude the use of shared resources among jurisdictions, it does not required full distribution. Jurisdictions can collaborate and share costs.
The distributed model will allow the CDI to grow over time. Some jurisdictions will lead, others will wait and watch. Follows the model of the API economy.