Authentication

Rod Matthews

30 September 2009

2

1) DWP Government Gateway Slides 2-5

2) Government Policy Slide 6

3) Remote Authentication Slides 7-11 Good Bad Different

4) A Changing Landscape Slide 12

Presentation Agenda

3

xGovernment Enterprise Architecture

Strategy

Channel Services Integrated Services

Process ServicesInformation Services

Infrastructure Services

ServiceManagement

Security Services

Local Application Services

GG+ Alerts

GG+ Secure Email GG Transaction Orchestration

GG Secure Transaction Engine

GG Strong Authentication

GG Common White label UI

GG+ Payment Engine

Common Infrastructure Services

Access to Public Services (Remote Access)

Safeguarding Identity E.G. Champion AssetsE.G. Transformational Government

Government Gateway

Identity and Verification EngineID&V Hub / Broker

17m Service Users 90 Authenticated eServices

Remote Authentication • Citizens• Businesses• Government Employees• EU & Foreign Nationals

Secure Data Transfer

Payment Engine Secure eMailAlerts

Transaction Engine

Gateway+

4

Access to Public Services (Remote Access)

Common Infrastructure Government Gateway

Submission Volumes Monthly

0

500000

1000000

1500000

2000000

2500000

3000000

April

MayJu

ne July

Augus

t

Septem

ber

Octobe

r

Novem

ber

Decem

ber

Janu

ary

Febru

ary

March

08/09

07/08

06/07

05/06

04/05

03/04

02/03

SOAP / GUI Access

05000000

100000001500000020000000250000003000000035000000

April

MayJu

ne July

Augus

t

Septem

ber

Octobe

r

Novem

ber

Decem

ber

Janu

ary

Febru

ary

March

08/09

07/08

06/07

05/06

04/05

03/04

02/03

e-Payment Brokering Service

0

50000

100000

150000

200000

250000

08/09

07/08

06/07

05/06

04/05

03/04

02/03

SOAP / GUI Growth

0

10000000

20000000

30000000

40000000

50000000

60000000

70000000

80000000

02/03 03/04 04/05 05/06 06/07 07/08 08/09

Series1

Government Gateway Take-up

The Safeguarding Identity Strategy (published on 23 June) contains 15 Actions;

• AtPS is leading Actions 6 & 7 in evidencing the shape and implications of a Shared Service to provide xGov Remote Authentication to e-Services

• AtPS also leads Actions 4 & 5 which defines a trusted set of identity credentials and their convergence across government

• AtPS contributes to other Actions, for example (11) the facility to repair a compromised identity and (13), which enables avoidable contact through linking services by consent.

• AtPS is aligned and coordinated with the DWP Change Programme, Identity Programme, and is enabled by shared resources with IPS and Directgov.

• DCSF lead on the issue of Employee Authentication, working collaboratively with the Government Gateway

• AtPS reports to the Safeguarding identity Steering Group, chaired by Sir David Normington

6

http://www.ips.gov.uk/cps/rde/xchg/ips_live/hs.xsl/1151.htm

Safeguarding Identity Strategy Government Policy

Delivering the objectives is a work-in-progress – this presentation is not policy

Currently: the Provision of authentication facilities is fragmented and will not enable citizen centric services (e.g. Directgov, TUO)

• Departments have implemented, and may act independently in providing remote credentials,

• these require individual support and maintenance facilities and have different lifecycles,

• this means multiple credentials and inconvenience and likely confusion for the Citizen, and;

• the supplier and technology communities find this difficult to engage with effectively

7

Bad ……..

A fragmented approach is a more costly approach

12456Mums maiden nameMy date of birth

Authentication

• Normal credentials cannot be used for remote authentication (without enhancement): a remote credential must be ‘presented’ via reader hardware and/or network which government may not trust (e.g.

home PC) as currently planned, the UK ID card (even if politically endorsed) will not enable remote authentication without

additional readers

• New remote credentials will be required in addition to the ID card: CESG anticipate that ‘Shared Secret’ solutions will be increasingly compromised around 2012 DWP would not require its customers to enrol in the NIR and purchase an identity card

• Decisions on selection and provision of remote credentials to citizens must be driven by clear business objectives:

balance cost, integrity and usability for specific user group abilities and usage failure to achieve this will lead to rejection of remote channels

• The introduction of new remote credentials may also require new infrastructure, plus process costs of re-enrolment:

there is no remote credential strategy in government (or DWP) to provide:• multiple credentials to enable different user groups• a succession plan for credentials that become compromised

failure to maintain suitable credentials will compromise secure delivery of public services

• However, the private sector faces similar challenges: government should seek opportunities to share cost and risk, and to improve citizen experience, through collaboration

and partnership

8

The Challenge with Credentials Authentication

RM 9

Bronze IdentityOpen Identity

Foreign National

Bronze CredentialID & Pwd + Challenge

ID & Password

Bronze Service Level 1 services

Gold Identity National Identity Register

Gold CredentialUK ID Card with Biometric

UK ID Card Chipped UK Gov ID Card

Silver+ Credential Chipped UK Gov Card +PIN + C/R

Chipped UK Gov Card + PIN Chipped Card and PIN

Memorable Information (C/R)

Gold Services Level 3 services

Silver IdentityDWP CISx

Departmental Case System Verified EU

Private (EG Banking) Sector

Silver Credential Chipped UK Gov Card +PIN + C/R

Chipped Bank Card + PIN + C/RMemorable Information (C/R)

EU State Chipped ID Card

Bronze+ CredentialID & Pwd + (Challenge)

ID & Password

Silver Service Level 2 services

Authentication Trust……

A Shared Service can encourage departments to use, support and sustain the preferred ‘pool’ of credentials and therefore foster convergence or reduction of Public sector provided credentials

This in turn enables rapid deployment, seamless convergence, lower cost access, improved citizen experience and greater convenience.

AtPS proposed a shared service solution (built on the Government Gateway) that allows multiple remote credentials to be used interchangeably to access a range of Public Services based on the strength of the remote credential, integrity of the identity, and the authentication level required for access to each service.

10

The Shared Service provides the vehicle to coordinate the policy, participation, risk management and funding perspectives, and enable a cross-government Governance perspective

Good…… Authentication

Pool of CredentialsEGEG

EG

Shared Service (Gateway Authentication Broker)

11

Different……

Tell-Us-Once

Surf

Records Matching

Case Based Reasoning

1:M (Workflow)

Self Service & Avoidable Contact

Shared Service (Gateway Authentication Broker)

Pool of CredentialsEG

Point of Contact

ChoicesReduced CredentialingMinimised Redundancy

Trust(Bronze, Silver, Gold)

EGEG

1:1

Authentication

EG

A clear Credential Strategy

Trust convergence for Departments, Directgov and Tell-Us-Once

Matches the drive to single entry points for Gov Services (Directgov)

Maximising what can be done once within the perimeter (Tell-Us-Once)

Social Inclusion and customer convenience in the e-channel

Reaching out to high transactors (vulnerable groups)

Minimising the overhead of for inexperienced e-tourists

Maximising self-service, via the e-channel

Minimises e-service up-front deployment costs

Minimises credential dependency – enables rolling ‘renewal’

Sets a landscape for Public / Private Sector coalescence – potentially partnership

12

Direction of Travel……

Questions

Rod Matthews

30 September 2009

http://informationcard.net/blog/open-identity-initiative-2009-09-09

http://digitaldebateblogs.typepad.com/digital_identity/2009/09/katie-davis-ips.html