I am what IAM
The legacy of the failed Australia Card identity scheme has hindered Australian government agencies from realising the dream of having a sole online identity for every citizen.
The reluctance to address the issue means the government is missing out on big dollar savings corporates such as the Big Banks are enjoying due to savings in the call centre.
Many believe government could do better: “There are loads of ways that we interact with government that doesn’t need a very high degree of assurance,” Gartner research director Anne Robins explains.
“People want to participate because it is a benefit to them, and I think a lot of people would feel the same way about doing these things online with government,” Robins adds.
Passwords by the dozen. Transacting online with government agencies is far preferred to waiting on the end of the phone or standing in a queue – yet citizens have become bombarded with online services from government.
It is not an uncommon scenario when registering for an online service to input the same information with every agency. Users often then write down the username and password, albeit the vast majority of people use the same password, in a notebook.
Through the my.gov.au portal, the Federal Government has attempted to create a solution.
Services from Medicare, Centrelink, the Australian Taxation Office, Child Support, the National Disability Insurance Scheme and the Department of Veterans’ Affairs can be accessed via the secure myGov account with one username and password.
It's an ambitious undertaking but not everyone likes it. “MyGov is trying to give citizens a portal,” Robins says, “but there is the impression that if you use myGov you are giving Centrelink or Medicare information. It all seems like it is mixed in together, and people are uncomfortable.”
The approach of myGov is misplaced, she says, in light of the success of New Zealand’s RealMe government identity service.
Launched in July 2013, the service has centralised the verification of a person’s identity, but each agency still maintains their own data.
“I think if you look at these two models,” she says, “you will see one has gone a long way down the path of making sure people do feel their privacy has been protected and that it is all about the control that they have.
“The myGov model is much more about saying we are going to force you into this tunnel and you have to do everything through this point, I am just not sure people feel comfortable with that.”
Second-generation online services. Australian government agencies, from all levels, have been roundly criticised as being slow to adopt advances in the identity space.
Many agencies are trying to solve the problem on their own – some, such as the Australian Tax Office, are looking to do more and offer a richer service – but there has been no real strong leadership at a whole of government level about addressing citizen identity.
“A complication of the government’s service obligation is that they just can’t say 'I’m going to make it available online and you can like it or not',” Robins says. “They have to support all of the multi channels.”
Governments, like the private sectors, are looking for higher levels of online participation and ways to reduce overheads on help desks or call centres.
Robins believes the challenge is that government will solve the problem one agency at a time.
“It’s going to be complicated and expensive,” she warns, “and people are going to hate it if they have to do different things for each agency.” There is the possibility an agency could step out on their own and show leadership, thereby creating a bit of groundswell.
“But I think it needs a much stronger push from the top down,” she says, “to actually put this on the agenda of department chief information officers. They are all suffering from cutbacks, keeping expertise in-house; this is still not a burning problem for a lot of them.”
Social sign-on. Innovators in government are, on the other hand, really pushing to adopt Facebook or some other social media sign-on and identity brokering service.
“There is a lot of controversy about whether I want to cross my personal or Internet identity with my government identity,” First Point Global co-founder Jan Zeilinga says, noting that some citizens may feel this would give government too much visibility into a person’s private life.
From an Australian government perspective, Robins adds, there are some circumstances today where a citizen would like to access a service by clicking through from Facebook.
“You're accessing fairly basic information,” she says. “It is good for relatively innocuous transactions where the convenience outweighs the need for more security than that.”
As people deem Facebook as “friendly” and people feel good about using it, she believes it might be a good way for government to become more accessible.
On the issue of security, both Zeilinga and Robins believe Facebook can be more secure than a simple username and password for first level enquiries as people put a value on their Facebook profile.
“The reality is I can enter rubbish into a registration service and create an email account,” Zeilinga says.
The real problem with using a social sign-on is the government of this moment has not grasped that there is a risk differentiation between different transactions, Robins explains: “You should be able to match the right level of authentication and verification of the transaction to what you are doing.”
BYO identity. Using a social media identity as a means of accessing services online is a trend that government agencies will need to accommodate going forward.
Whereas the new generation of identity access solution are able to broker into social media identity stores to tie the authentication together, current legacy identity access management systems don’t have a means of catering for this.
Dimension Data Australia security practice national manager Jason Ha explains there is technology that can broker first level social media authentication, then decide how much of a higher challenge is required to given citizens access to services.
“Social media brokering can function as a good first level authentication up to a certain point for citizens,” he says, “and then if the adaptive context requires a higher level of privilege, that is when they can interface into an internal identity construct.”
However, the problem is that most Australian government agencies have not embarked on a new platform for this world.
“Most of them are at the strategy and even architecture stage to determine what the new software will look like,” Ha says.
Higher-level authentication. Social sign-on is just one way to identify a persona. The key challenge is taking the persona and linking it to a real person.
“The actual technologies are quite simple and services are quite simple,: Zeilinga says. “It is more about how to upgrade an individual and how much trust you put in that.”
At the bare bones level, cost savings are driving government agencies to make sure everyone has an online account.
“If they can get 90 percent of their online consumers using a third party for authentication, and they are pushing out that management of username and password, that is significant savings in the call centre,” Zeilinga adds.
At the technology level, agencies realise that even if they embrace social sign-on, it is the step-up authentication process that is tricky.
“When you combine risk factors together you get something very strong,” Zeilinga says. “It is when you are relying on one method that you start pushing the boundaries of being over confident.”
Options for higher-level authentication could include the bank’s favourite tool of SMS or a realm of biometric tools.
Yet despite its growing popularity, fingerprint scanning is no more secure than a Facebook login, Zeilinga warns, noting that it is difficult to get a fingerprint-based biometric system to an enterprise-enabled point.
“Logistically also it is quite hard to get everyone to go through a provisioning process for fingerprinting, which would be like a 100 point ID.”
Robins is also sceptical of the success of fingerprinting within the government sphere.
“It may be big brotherish if they say you can use your fingerprint to lodge your tax return.”
Voice printing, by contrast, is easy to do remotely. Robins says a lot of organisations such as health insurers and banks are already using voiceprint biometric scanning.
“Voice is not a future technology, government should embrace it,” Robins says. “It naturally fits into the call centre structure that they have in operation.”
Whatever road Government chooses to take to provide services online, the main message seems to be that it is the combination of risk factors that provides a strong authentication.
“Not only do you do a Facebook sign in, but they also fingerprint the machine you are coming from and your behaviours, so if your behaviours are abnormal then the agency might prompt you for a stronger authentication, a stronger question or something else to get an assurance level higher,” Zeilinger explains.
“It is when you are just relying on one method, that you start pushing the boundaries of being over confident.” – Kelly Mills
This feature originally ran in the May-June 2014 issue of Government Technology Review.
The DTA's Hosting Certification Frameworks are a step in the right direction, but true data...
Australian federal authorities have been granted online account takeover powers after a new Bill...
The increased frequency of cybersecurity advisories being published by governments is great for...