Access and Identity Management (AIM)

Last updated: 
2 months 4 weeks ago
Group Manager
Members of the research and education community within the United Kingdom regularly make use of various types of online services, including web-based e-resources, wireless network access, and cloud-based applications. Many of these services require authentication of a user's identity, and many additionally require the release of attributes relating to that identity for authorisation purposes. Access and Identity management technologies and services aim to fulfil this need for robust authentication and authorisation technologies. Jisc either runs or is heavily involved with many major services offered to the UK R&E community in this space such as eduroam, the UK federation, Moonshot, and the Janet Certificate Service. This group exists for those interested in AIM and trust and identity services to discuss the latest developments, keep track of goings-on, and participate in discussions about what the community needs in this area and what Jisc should be offering. (Note that for eduroam, Moonshot, and the Janet Certificate Service specific discussions, these technologies have their own groups on this site). To learn more about Jisc's AIM services, you can see the slides and video of an overview given at Networkshop42.
Log in to request membershipHide group description

Group administrators:

Recent members:

Identity Assurance: enabling the secure delivery of online transactions and public services

6 November 2013 at 4:11pm

Not the snappiest title, but the Inside Government Identity Assurance: enabling the secure delivery of online transactions and public services event I attended earlier this week was a really useful opportunity to find out what is happening in other parts of the public sector and also to be not surrounded by the usual IdM suspects. Delegates were from a range of departments, local authorities and associated agencies including the Land Registry, Royal Mint, Met Office, DWP and MOJ. There was a mix of speakers and probably the most relevant for readers here, was the update from the Government Digital Service (GDS) ID Assurance Programme provided by Janet Hughes, Head of Policy & Engagement.

  • GDS is only interested in establishing someone is who they say they are.
  • Working with 25 'Exemplar Projects’ - 25 of the biggest government services (out of 600) to redesign and rebuild to meet the Digital By Default Service Standard by April 2014 and be completed by March 2015. See http://gov.uk/transformation
  • We were shown a mock up of what a citizen will see when attempting to register with an IdAP IdP on gov.uk that included an image of a mortar board. I asked what academic services they are planning on providing access to and was told that Student Loans is the only related service so far.
  • Five of the eight framework IdPs have signed contracts for the first phase: Digidentity, Experian, Mydex, The Post Office, and Verizon.  PayPal, Ingeus and Cassidian have decided not to participate in this phase, however GDS is expecting them, along with banks and mobile companies to take part in the next procurement phase next year. A decision on what the next procurement phase will look like will be made in January.
  • IdAP has no common identifier and no central database.
  • GDS is building and will run a document checking service for IdPs to enable them to check citizens' driving licence and passports.
  • SPs need to decide whether id assurance is required and at what level.  They also have to build a matching service.
  • The plan is to move from Beta to live in April 2014.
  • They plan to start working on Level 3 citizen id next year.

One other interesting point was that in the extensive user testing they've done, most users are unfamiliar with the concept of identity providers and thought that government already had all their data so why couldn't they just get on and use it!

The next speaker was from the National Audit Office reporting on the results from an Ipsos Mori poll of 3000 people that they commissioned on identity earlier this year. A surprising finding was that they discovered trust in government is higher than for online banking or shopping. Admittedly the poll was taken before the Prism and NSA revelations came out...

Next up was Peter Armstrong, Identity Assurance Technical Director, CESG with an entertaining, if scary, talk. He started off by acknowledging the range of organisations represented, but said that one sector is always underrepresented at these events... Organised Crime. Criminals are very interested in what is coming with the Government IdA Programme and will be gearing up to attack and exploit it. He also said that industry research has shown that on average, between 20 and 40% of endpoints contain malware.

Given all the bad stuff out there Peter stated that an identity and account repair service is critical.

Although not mentioned directly, GDS has recently published some guidance to government on configuring mobile platforms for remote working which has some relevance to this topic:

http://digital.cabinetoffice.gov.uk/2013/10/22/new-guidance-for-governme...

The final speaker I am going to mention is Ian Litton, Strategy Programme & Information Manager at Warwickshire County Council. WCC is in the final stages of an alpha project working with some of the IdAP IdPs, GDS and Ping Identity to test access to local authority services.

The project allows Warwickshire residents to use social media identities when using certain level 1 services e.g. reporting potholes or a government id from Mydex, PayPal or Verizon for level 2 services such as applying for a disabled parking bay. The project uses a combination of PingFederate server, WCC's LDAP, Ruby on Rails, GEM and a WCC matching service

Although looked at, WCC decided to rule out upgrading social media identities to LOA2 ids.

From the user testing, they were surprised to find that users did not like using social media ids. They don't want to mix social life and government and thought Facebook would be able to see their government data and that the government would see their Facebook data. Another finding was that users, perhaps not surprisingly, selected an IdP they were more familiar with so most chose PayPal rather than Mydex or Verizon. Brand awareness could be a big problem for some of the IdPs...

Two factor authentication was also tested with some users liking the extra security, but others reporting that it was a faff! Again, echoing some previous comments, users questioned why private companies were involved - why isn't government doing this themselves?

Findings from this project will shortly be available on the OIX website [EDIT: a White Paper is now available at http://oix.mvine.com/networks/155/item.html?id=554] and the next step is to look at attribute enrichment and just in time provisioning - areas that will definitely be of interest based on recent conversations.

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo
IDAP
GDS