The idea of banks serving as digital gatekeepers for their customers' online pursuits has been kicked around a lot. In Canada, it's being put into practice.
Four of the top Canadian banks are now involved in a massive yet little publicized program called SecureKey Concierge, which lets users employ a single set of login credentials to access the banking and government websites they use.
The system, already processing more than 1 million transactions a month, shows a path that banks could follow in the United States, where the Postal Service has set a similar project in motion and is trying to drum up participation from financial institutions.
"We look at it as simplifying our customers' lives," says Charaka Kithulegoda, chief information officer of ING Direct, which joined the Canadian project at the end of November. "Now you don't have to remember three sets of credentials, you can use a single set of credentials."
A user going to a government website will receive a menu of authentication providers, including her bank. The provider she selects will present her with a security challenge and, if she passes, produce an anonymous security token. That token will be given to a network provider, which will reroute it back to the government agency that initiated the process.
The process is cloaked in a way that SecureKey refers to as "triple blind." The bank doesn't get to see the user's government destination, the government agency doesn't know what bank the user is coming from (and can't see any of the user's bank account details) and the network doesn't know who the user is, so none of the transaction participants has a complete picture of the user journey.
The setup hinges on the credential providersin Canada, this is ING Direct, Bank of Montreal, Scotiabank and TD Bankdoing their part in a highly reliable way.
Andre Boysen of SecureKey, the technology provider for the platform that the Concierge transaction hub runs on, says he hopes to get all the Canadian banks to join Concierge. He also wants participation from state and municipal governments, cable and utility providers and eventually e-commerce providers.
SecureKey also is running the credentials hub being developed in the United States, which aims to let U.S. consumers access many government websites, including healthcare.gov and irs.gov, with a single user-name-and-password combination.
The USPS, which is overseeing the program, is getting ready to take it live this year. So far it has eight credential providers, including Google, PayPal and Verizon. Boysen would like banks to join, too.
"We absolutely believe large U.S. banks need to be part of this service to make it go," he says. He would target the 10 largest banks first, then possibly try to work with a credit union association like CUNA.
Why would a financial institution want to get involved? Boysen cites three main reasons:
*Revenue. Governments will pay for authentication services that they can't provide simply because users visit their sites too rarely. (The going rate is about $2 per user per year.)
* Relationship stickiness. If a user's online credentials for many important websites are handled by the bank, unwinding the relationship will be a headache.
* New services. Credential management could lead to new service offerings for banks, which for example could start helping customers change utility companies after a move.