What if banks could act as digital gatekeepers, protecting all their customers' pursuits on the web? Instead of each consumer having 100 sets of user names and passwords to remember for all the websites he accesses for work and personal reasons, he could have just one, managed by his bank. It's a concept we've written about many times, but so far we've struggled to see how the industry could coalesce around one technology, one standard and one centralized hub for identity data.
A massive yet little-publicized project in Canada is essentially creating a bank-managed single sign-on (user name and password) for all Canadians to access the banking and government websites they use. It shows a path U.S. banks could follow. In fact, a parallel project has already been set in motion by the U.S. Postal Service and U.S. banks are encouraged to join.
Four Canadian banks are now acting as internet gatekeepers for their customers, including ING Direct, which joined last week, and founding members Bank of Montreal, TD Bank, and ScotiaBank. The program, called SecureKey Concierge, has been running for 18 months and processes more than a million transactions a month.
"The primary driver for us is giving our customers choice and convenience," says Charaka Kithulegoda, CIO of ING Direct. By letting customers use one set of credentials for banking and government access, ING Direct will help customers maintain fewer, higher quality passwords than before.
"We look at it as simplifying our customers' lives," he says. "Now you don't have to remember three sets of credentials, you can use a single set of credentials."
The project is also aimed at helping the Canadian government improve its online service delivery, according to Andre Boysen, executive vice president at SecureKey, the technology provider for the platform the Concierge transaction hub runs on, briidge.net.
"Every web service out there has its own dedicated authentication architecture, used to find out if the user is the same person who showed up the first time we put them in the system," he says. "When the internet first came along, users had a handful of user IDs and passwords to manage. With the proliferation of apps, users now are dealing with 30 to even hundreds of IDs and passwords. No one can remember 100 passwords. Good internet hygiene says you should make your password long and hairy, it should be different across sites, and you should change it frequently. But of course, nobody does that because trying to manage 100 user names and passwords that way is quite difficult."
Boysen sees authentication becoming a centralized commodity like payments.
"In payment networks, I can take one payment card and go to any merchant on the planet and can buy goods from the merchant," he notes. "Yet on the internet, every destination calls for a special purpose credit card."
Consumers tend to remember their online banking passwords better than most other passwords they use. "It's the places you don't go as often that are the challenge for each of us as users," Boysen says.
If all goes according to plan, Canadian bank customers will eventually have one user name and password to gain entrance to most websites they use.
SecureKey runs the Concierge hub. The technical specification all participants use is Security Assertion Markup Language (SAML) 2.0, an XML-based open standard data format for exchanging authentication and authorization data between parties that's been around since 2001.
Using Concierge, the user going to a government website will receive a menu of authentication providers, including her bank. The provider she selects will present her with a security challenge, and if she passes, produce an anonymous security token based on SAML. That token will be given to a network provider, which will reroute it back to the government agency that initiated the process.
If the security credential provider doesn't recognize the user, it will offer online enrollment right there, create a token for the user and bind it to that person's profile.
The process is anonymized in a way that SecureKey refers to as "triple blind." The bank doesn't get to see the user's government destination, and the government agency doesn't get to see what bank the user is coming from or his bank account details. The network also doesn't know who the user is, so none of the transaction participants has a complete picture of the user journey.
"We didn't want to have consumers thinking that banks and government were creating joint profiles," Boysen says.
The whole setup hinges on the credential providers in Canada, this is the banks doing their job in a highly reliable way.
"A bank like Wells Fargo has a relationship with you, they've met you in person, they've enrolled you meeting KYC standards," Boysen says. "Wells Fargo knows really well who you are."
Boysen hopes to get all the Canadian banks to join Concierge, as well as state and municipal governments, cable and utility providers and eventually e-commerce providers.
"It's important to have sufficient utility for consumers," Boysen observes. "Most people don't want a single-purpose credit card, they want a card that can be used in multiple destinations, so we need to make sure we add more destinations for users to get to."
In the U.S., a similar hub is being created called the Federal Cloud Credential Exchange. The U.S. Postal Service is overseeing it and this fall chose SecureKey to run the credentials hub.
U.S. consumers will have one user name and password with which to access many branches of government, including healthcare.gov and the IRS.
The USPS is getting ready to take this live in the new year. The eight initial credential providers, called FICAM (this stands for Federal Identity Credential Access Management), include Verizon, PayPal, Google, and others.
Boysen would like banks to join this list.
"We absolutely believe large U.S. banks need to be part of this service to make it go," he says.
He would target the ten largest banks first, then possibly try to work with a credit union association like CUNA.
Why would a financial institution want to get involved?
For one thing, there's money in it, Boysen says. Governments are willing to pay for authentication services that they can't provide simply because users visit their sites too rarely. The going rate is about $2 per user per year.
Another driver is relationship stickiness if a user's online credentials for many important websites are handled by his bank, unwinding that bank relationship will be a headache.
A third reason is a bank could provide new services based on its credential management, such as helping customers shift their business to new utility companies when they move.
Boysen insists that providing credentials for external websites does not increase risk for banks. Over time, he believes banks will use device recognition to strengthen authentication security. He's not unbiased; SecureKey also provides device recognition. "The bank will have higher confidence that it's really me because I will have enrolled the devices I use every day to bank," he says.
Devices will start having built-in security stacks, Boysen says. "Eventually users will be able to pair their device with their bank and the bank will get high assurance that it's really me because of the device I've enrolled."
ING Direct already had the technology framework in place to implement its part of Concierge, Kithulegoda says.
The bank has been working for a few years to strengthen authentication for customers, to protect them from fraud.
Some bank employees are pilot testing face and voice recognition for authentication. "That's progressing well," Kithulegoda says.
His team is anxiously waiting for Apple to release the APIs for its thumbprint scanning technology to test it with the bank's applications. Although the Apple technology seems far from infallible someone figured out how to hack into Apple's fingerprint recognition technology within days of its rollout Kithulegoda believes it could be a piece of the security puzzle.
"Our view on this is to build in multiple [security] layers and to make these layers as seamless as possible," he says. Eventually the bank will provide escalating levels of challenge and security depending on what the customer is doing.
"Maybe the fingerprint gets you to a certain point," Kithulegoda says. "Then beyond that point, depending on the dollar value or risk, you could voice authenticate. It's not going to be one single technology, but the way all of these technologies come together that will matter."
The bank is also looking into device authentication. "There is fairly high value in doing device level authentication" and knowing who the true owner of a device is, he says. He acknowledges that the barrier for setting up device recognition initially is high.