What if banks could act as digital gatekeepers, protecting all their customers' pursuits on the web? Instead of each consumer having 100 sets of user names and passwords to remember for all the websites he accesses for work and personal reasons, he could have just one, managed by his bank. It's a concept we've written about many times, but so far we've struggled to see how the industry could coalesce around one technology, one standard and one centralized hub for identity data.
A massive yet little-publicized project in Canada is essentially creating a bank-managed single sign-on (user name and password) for all Canadians to access the banking and government websites they use. It shows a path U.S. banks could follow. In fact, a parallel project has already been set in motion by the U.S. Postal Service and U.S. banks are encouraged to join.
Four Canadian banks are now acting as internet gatekeepers for their customers, including ING Direct, which joined last week, and founding members Bank of Montreal, TD Bank, and ScotiaBank. The program, called SecureKey Concierge, has been running for 18 months and processes more than a million transactions a month.
"The primary driver for us is giving our customers choice and convenience," says Charaka Kithulegoda, CIO of ING Direct. By letting customers use one set of credentials for banking and government access, ING Direct will help customers maintain fewer, higher quality passwords than before.
"We look at it as simplifying our customers' lives," he says. "Now you don't have to remember three sets of credentials, you can use a single set of credentials."
The project is also aimed at helping the Canadian government improve its online service delivery, according to Andre Boysen, executive vice president at SecureKey, the technology provider for the platform the Concierge transaction hub runs on, briidge.net.
"Every web service out there has its own dedicated authentication architecture, used to find out if the user is the same person who showed up the first time we put them in the system," he says. "When the internet first came along, users had a handful of user IDs and passwords to manage. With the proliferation of apps, users now are dealing with 30 to even hundreds of IDs and passwords. No one can remember 100 passwords. Good internet hygiene says you should make your password long and hairy, it should be different across sites, and you should change it frequently. But of course, nobody does that because trying to manage 100 user names and passwords that way is quite difficult."
Boysen sees authentication becoming a centralized commodity like payments.
"In payment networks, I can take one payment card and go to any merchant on the planet and can buy goods from the merchant," he notes. "Yet on the internet, every destination calls for a special purpose credit card."
Consumers tend to remember their online banking passwords better than most other passwords they use. "It's the places you don't go as often that are the challenge for each of us as users," Boysen says.
If all goes according to plan, Canadian bank customers will eventually have one user name and password to gain entrance to most websites they use.
SecureKey runs the Concierge hub. The technical specification all participants use is Security Assertion Markup Language (SAML) 2.0, an XML-based open standard data format for exchanging authentication and authorization data between parties that's been around since 2001.
Using Concierge, the user going to a government website will receive a menu of authentication providers, including her bank. The provider she selects will present her with a security challenge, and if she passes, produce an anonymous security token based on SAML. That token will be given to a network provider, which will reroute it back to the government agency that initiated the process.
If the security credential provider doesn't recognize the user, it will offer online enrollment right there, create a token for the user and bind it to that person's profile.
The process is anonymized in a way that SecureKey refers to as "triple blind." The bank doesn't get to see the user's government destination, and the government agency doesn't get to see what bank the user is coming from or his bank account details. The network also doesn't know who the user is, so none of the transaction participants has a complete picture of the user journey.
"We didn't want to have consumers thinking that banks and government were creating joint profiles," Boysen says.
The whole setup hinges on the credential providers — in Canada, this is the banks — doing their job in a highly reliable way.
"A bank like Wells Fargo has a relationship with you, they've met you in person, they've enrolled you meeting KYC standards," Boysen says. "Wells Fargo knows really well who you are."
Boysen hopes to get all the Canadian banks to join Concierge, as well as state and municipal governments, cable and utility providers and eventually e-commerce providers.