Authentication Rod Matthews 30 September 2009

2 1) DWP Government GatewaySlides 2-5 2) Government Policy Slide 6 3) Remote Authentication Slides 7-11  Good  Bad  Different 4) A Changing Landscape Slide 12 Presentation Agenda

3 xGovernment Enterprise Architecture Strategy Channel Services Integrated Services Process ServicesInformation Services Infrastructure Services Service Management Security Services Local Application Services GG + Alerts GG + Secure GG Transaction Orchestration GG Secure Transaction Engine GG Strong Authentication GG Common White label UI GG + Payment Engine Common Infrastructure Services Access to Public Services (Remote Access) Safeguarding Identity E.G. Champion Assets E.G. Transformational Government Government Gateway

Identity and Verification Engine ID&V Hub / Broker 17m Service Users 90 Authenticated eServices Remote Authentication Citizens Businesses Government Employees EU & Foreign Nationals Secure Data Transfer Payment Engine Secure Alerts Transaction Engine Gateway + 4 Access to Public Services (Remote Access) Common Infrastructure Government Gateway

Take-up

The Safeguarding Identity Strategy (published on 23 June) contains 15 Actions; AtPS is leading Actions 6 & 7 in evidencing the shape and implications of a Shared Service to provide xGov Remote Authentication to e-Services AtPS also leads Actions 4 & 5 which defines a trusted set of identity credentials and their convergence across government AtPS contributes to other Actions, for example (11) the facility to repair a compromised identity and (13), which enables avoidable contact through linking services by consent. AtPS is aligned and coordinated with the DWP Change Programme, Identity Programme, and is enabled by shared resources with IPS and Directgov. DCSF lead on the issue of Employee Authentication, working collaboratively with the Government Gateway AtPS reports to the Safeguarding identity Steering Group, chaired by Sir David Normington 6 Safeguarding Identity Strategy Government Policy Delivering the objectives is a work-in-progress – this presentation is not policy

Currently: the Provision of authentication facilities is fragmented and will not enable citizen centric services (e.g. Directgov, TUO) Departments have implemented, and may act independently in providing remote credentials, these require individual support and maintenance facilities and have different lifecycles, this means multiple credentials and inconvenience and likely confusion for the Citizen, and; the supplier and technology communities find this difficult to engage with effectively 7 Bad …….. A fragmented approach is a more costly approach Mums maiden name My date of birth Authentication

Normal credentials cannot be used for remote authentication (without enhancement): ­ a remote credential must be ‘presented’ via reader hardware and/or network which government may not trust (e.g. home PC) ­ as currently planned, the UK ID card (even if politically endorsed) will not enable remote authentication without additional readers New remote credentials will be required in addition to the ID card: ­ CESG anticipate that ‘Shared Secret’ solutions will be increasingly compromised around 2012 ­ DWP would not require its customers to enrol in the NIR and purchase an identity card Decisions on selection and provision of remote credentials to citizens must be driven by clear business objectives: ­ balance cost, integrity and usability for specific user group abilities and usage ­ failure to achieve this will lead to rejection of remote channels The introduction of new remote credentials may also require new infrastructure, plus process costs of re-enrolment: ­ there is no remote credential strategy in government (or DWP) to provide: multiple credentials to enable different user groups a succession plan for credentials that become compromised ­ failure to maintain suitable credentials will compromise secure delivery of public services However, the private sector faces similar challenges: ­ government should seek opportunities to share cost and risk, and to improve citizen experience, through collaboration and partnership 8 The Challenge with Credentials Authentication

RM 9 Bronze Identity Open Identity Foreign National Bronze Identity Open Identity Foreign National Bronze Credential ID & Pwd + Challenge ID & Password Bronze Credential ID & Pwd + Challenge ID & Password Bronze Service Level 1 services Bronze Service Level 1 services Gold Identity National Identity Register Gold Identity National Identity Register Gold Credential UK ID Card with Biometric UK ID Card Chipped UK Gov ID Card Gold Credential UK ID Card with Biometric UK ID Card Chipped UK Gov ID Card Silver + Credential Chipped UK Gov Card +PIN + C/R Chipped UK Gov Card + PIN Chipped Card and PIN Memorable Information (C/R) Silver + Credential Chipped UK Gov Card +PIN + C/R Chipped UK Gov Card + PIN Chipped Card and PIN Memorable Information (C/R) Gold Services Level 3 services Gold Services Level 3 services Silver Identity DWP CISx Departmental Case System Verified EU Private (EG Banking) Sector Silver Identity DWP CISx Departmental Case System Verified EU Private (EG Banking) Sector Silver Credential Chipped UK Gov Card +PIN + C/R Chipped Bank Card + PIN + C/R Memorable Information (C/R) EU State Chipped ID Card Silver Credential Chipped UK Gov Card +PIN + C/R Chipped Bank Card + PIN + C/R Memorable Information (C/R) EU State Chipped ID Card Bronze + Credential ID & Pwd + (Challenge) ID & Password Bronze + Credential ID & Pwd + (Challenge) ID & Password Silver Service Level 2 services Silver Service Level 2 services Authentication Trust……

 A Shared Service can encourage departments to use, support and sustain the preferred ‘pool’ of credentials and therefore foster convergence or reduction of Public sector provided credentials  This in turn enables rapid deployment, seamless convergence, lower cost access, improved citizen experience and greater convenience. AtPS proposed a shared service solution (built on the Government Gateway) that allows multiple remote credentials to be used interchangeably to access a range of Public Services based on the strength of the remote credential, integrity of the identity, and the authentication level required for access to each service. 10 The Shared Service provides the vehicle to coordinate the policy, participation, risk management and funding perspectives, and enable a cross-government Governance perspective Good…… Authentication Pool of Credentials EG Shared Service (Gateway Authentication Broker)

11 Different…… Tell-Us-Once Surf Records Matching Case Based Reasoning 1:M (Workflow) Self Service & Avoidable Contact Shared Service (Gateway Authentication Broker) Pool of Credentials EG Point of Contact Choices Reduced Credentialing Minimised Redundancy Trust (Bronze, Silver, Gold) EG 1:1 Authentication EG

 A clear Credential Strategy  Trust convergence for Departments, Directgov and Tell-Us-Once  Matches the drive to single entry points for Gov Services (Directgov)  Maximising what can be done once within the perimeter (Tell-Us-Once)  Social Inclusion and customer convenience in the e-channel  Reaching out to high transactors (vulnerable groups)  Minimising the overhead of for inexperienced e-tourists  Maximising self-service, via the e-channel  Minimises e-service up-front deployment costs  Minimises credential dependency – enables rolling ‘renewal’  Sets a landscape for Public / Private Sector coalescence – potentially partnership 12 Direction of Travel……

Questions Rod Matthews 30 September