Federated Credential Use. A Tale of Poultry and Public Sector

Using federated high assurance private sector credentials to access public sector services has a chicken and the egg problem. This may require the immaculate conception of a chicken, and not just in the public sector, to move the ball forward. Some thoughts, pointers and perspectives on the issue.

One of the primary reasons for the lack of wide availability of higher assurance credentials (typically at LOA 2 and LOA 3) that I have often heard is the lack of Relying Parties that need these credentials. The argument goes that “If these services existed, there would be more CSPs”. On the other end of the spectrum, RPs that would like to deliver these high value services are looking out at the private sector and not seeing many CSPs that would meet their needs. The classic chicken and the egg argument is once again in play.

Arguably, public sector services that deliver benefits and other high value transactions are the poster children for these relying parties. Fortunately, an immaculate conception of chickens of sorts is taking place where many jurisdictions are making the unilateral decision to move ahead with online service delivery. This is not being driven by any desire to play with bright and shiny new objects but by pragmatic realities such as shrinking budgets and the need to shift channels to deliver services driven by changing demographics.

And yet, I am concerned that while much ink is being spilled in calling out the benefits and addressing the concerns of RPs and CSPs/IdPs, not as much is being done to address the concerns of the most important stakeholder in the transaction, the customer/citizen/end-user/client! The response to Tim Bray’s “Why Federate?” blog post should be required reading for any public sector entity seeking to implement federation technology to accept private sector credentials on citizen facing services.

I believe that in order to successfully deliver any such service, one needs to start with total transparency about data collection and use, and at a minimum clearly answer questions such as:

• What information are you collecting on me and why?
• How much visibility does the CPS/IdP have into the transactions that are conducted?
• What information is passed from the CSP to the RP and is there visibility and consent obtained to do so?
• How long are you keeping the data and for what purpose?
• What are you doing to alleviate my concerns of surveillance and correlation of information across multiple RPs?

I also believe that the user will not utilize a federated credential purely at a public sector web site, but must instead see that the same credential can be used in their daily online transactions. Which means that private sector entities must also stand ready to answer the same set of questions.

RELATED INFO

• Role of Multi-Sided Platforms in Identity Federation
• HOW TO Choose Attributes to Uniquely Identify a Person
• User Consent in the Age of Attributes - Part 2
• What is the Value of an Assertion of Identity at LOA 1?
• Tim Bray: Why Federate?