Sunday, June 22, 2003

Authentication Hoops

David Hewson, writing in this week's Sunday Times, is understandably frustrated about how hard it is to use online services - both government and private sector. Today's targets are the online VAT service and the Royal Bank of Scotland's own online service. It's a shame that three years on we are all still struggling to get this right. There's nothing inherently wrong with the VAT service - it works fine, but you do need a digital certificate. They cost money though, because, something like four years ago, government (rightly probably) opted to let the market establish digital certificates, expecting that banks and other online services would issue them to their clients and that government would ride someone else's wave. It hasn't worked out that way - as noted by RBS' apparent inability to accept one of their own certificates as a login token. I've written (and been quoted) about my views on certificates before - they are cumbersome and technically difficult to get working. It might have worked, but only if more services needed them (and not just government services but banks, stock traders and so on) and if greater usage had encouraged the suppliers to sort the technical issues (they just barely work on Netscape and IE, as long as you have Windows, and not at all on Mac or Linux-based systems). They were on life support nearly a year ago (see my comments to The Register) and won't make it in their current incarnation. Still, it was a good try - and out of a failure ought to come a replacement that addresses the issues and gets it right. What David is hinting at though in this article is some kind of cross trust process. That is, your bank trusts you and I (government) trust your bank, so you should be able to access both services easily. This is kind of the Liberty model (or maybe even MS Passport), although that's not how it is all working now. There is no offline cross trust equivalent today. I am talking to a mortgage company right now, trying to set up a private pension and opening a new bank account (and a trading account) for the same pension. All of them want to see my passport (the original), proof of address (another original bill) and prior bank statements. If there was a network of trust here, then I could get one of them (probably my own bank) to vouch for me and everyone else would be ok. But that's not there today. And if it's not there in the offline world, getting it in the online world is going to be even harder. That's one of the reasons why we set up the government gateway - so that there'd be only one login token needed in government. So, if David does get his digital certificate, it will work fine for sending in PAYE or filing IACS grants to DEFRA (not that he's a farmer, I'm sure). But, from little acorns and all that. Over the last three years or so I've proposed (and seen rejected, usually for pretty good reasons) several ways of getting the trust side of the deal sorted: - Trust network. I wanted to strike some deals with the online banks where there implicit trust of someone who had an account with them would allow us, as government, to in turn trust the account holder. So the userid you had for the bank would allow you access to, say, Self Assessment. The flaw is that you'd still need to know your government userid/password because not all services would be available via the bank, you might not want your bank to know what you're up to and there'd certainly be some complicated session management - all capable of being solved but the time was not right. - Green shield stamps reborn. I thought this might have worked. The idea was that you'd have a "trust score" based on the source of your original authentication and augmented by the services you used. So, sending in a Self Assessment online would increment the score. Paying money to government is obviously less risky than the other way round, so it takes a higher trust score to get benefit payments online. Once you start getting benefits, the score probably has to be decremented (to reduce the fraud risk) - so you have to maintain it by continuing to send in other transactions. The flaw, of course, is that someone due benefit can't claim right away (if they have no known history of online transactions) although this could have been circumvented with a higher degree of upfront validation.

No comments:

Post a Comment