Thursday, May 21, 2009

Where should government go with single sign-on?

Single sign-on is often seen as one of the Holy Grails of the internet - the ability to use a single logon to access all your secure online accounts and conduct transactions with whoever you choose.

This is seen as a way to make life easier for citizens/customers, allowing them to move easily from provider to provider, just as they may choose to move from store to store in a mall. It also reduces 'password fatigue', where users have too many passwords to remember and, correspondingly, is expected to reduce the IT cost of lost passwords.

The main risk of single sign-on solutions is also related to passwords - having a single logon for everything stored in a central location theoretically makes it easier for a hacker or identity thief to completely compromise an individual.

It might appear that the public sector has an advantage in moving towards a single sign-on for egovernment services. We have the dollars, expertise and computing power to pull together large IT projects, we don't have internal competitive pressures and possess the legislative power to change any laws necessary to allow citizens to access all government services via a single logon.

In contrast the private sector is fragmented between thousands of entities, potentially all competing for their slice of the online pie. Different online services are tied up with different intellectual property and sharing this IP would seem counter-intuitive to increasing profit margins.

However in practice the situation has been very different.

In the commercial world large and small organisations have been lining up behind a single standard for single sign-on, OpenID.

The OpenID Foundation estimates there are already over 1 billion OpenID-enabled web users and that more than 40,000 websites globally support the system.

OpenID is supported by the biggest online, authentication and IT players, including Microsoft, IBM, Verisign, PayPal, Google and Yahoo and was recently implemented by Facebook.

The system is fast becoming the global ID standard for authenticating users to websites - although I am unaware of a single case around the world where a government has adopted the same system.

On the government front single sign-on services are less developed. In Australia we've had the proprietary MyAccount service available for sometime now, linking Centrelink, Medicare and CSA customer accounts. MyAccount requires users to register separately for each agency's online service then link them together by registering a separate (fourth) account. This separate account can then be used to log into the online services for each of the agencies.

This service is presently being expanded. has indicated that they will be adopting the same single sign-on mechanism and that more agencies will be coming shortly.

The UK government has similarly been working on an independent single sign-on solution. This has encountered issues that I am sure Australia will also face - different services require different security levels, and stepping between the security necessary is more complex than simply offering a username and password.

The question in my head is whether it is possible for government to adopt the (free and open) OpenID standard rather than spend the time and money required to develop and expand a separate proprietary system.

In other words, do we need the government to continue to invest in a second 'single' sign-on when the commercial world is already well-advanced in a global solution?

The issue isn't that simple unfortunately. There are many reasons why a government may wish to own its own authentication system, such as national security, protection of citizen privacy, custom ways to 'step-up' to higher security levels (though this is also possible in OpenID).

However it is important to reconsider the value of a separate government system is from time to time, particularly if the commercial world is heading in a different direction.

1 comment:

  1. That's the point isnt it? One one (in)side we have agencies (.gov, .edu, etc) thinkg they should issue some keys to the(ir) kingdom. On the other (out)side the peasants are creating their own kingdoms.

    I can't cut a paste this link (for some reason), so do a search using 'efoundations apples and oranges'.

    It would be nice if the government system designers would add an open ID to their authentications wouldn't it?

    PS Shibboleth is just the academics heavy duty gate opener