Authentication slides 04.07.2003
-
Upload
alan-mather -
Category
Technology
-
view
684 -
download
0
Transcript of Authentication slides 04.07.2003
2
Are you who you say you
are?
2005100% online
Authentication
2002e-government usageat 11% of online users
1995: UK has 2% using
Internet
2003Still at 11%
2003: UK has 62% using
Internet(51% regularly)
2004Something has to
change …
2003: 16% of UK
What’s the Internet?
3
Mechanics of AuthenticationMechanics of Authentication(registration and enrolment)(registration and enrolment)
Need to establish who someone isNeed to establish who someone is What they want to doWhat they want to do Whether they have the right to do itWhether they have the right to do it
Goes from simple to hardGoes from simple to hard One time tax return …One time tax return … Application for benefit (long term payments out)Application for benefit (long term payments out) Nurse in hospital accessing patient recordsNurse in hospital accessing patient records
4
Do you need authentication?Do you need authentication?
Send a tax returnSend a tax return Probably doesn’t need authenticationProbably doesn’t need authentication But what if there’s a questionBut what if there’s a question
And you want to ask it by email? Who do you ask?And you want to ask it by email? Who do you ask? What if there’s a dispute, or an outright fraud?What if there’s a dispute, or an outright fraud? What about next year when we want to send the form online What about next year when we want to send the form online
to the citizen pre-populated?to the citizen pre-populated? Very hard to see many transactional scenarios where Very hard to see many transactional scenarios where
we’d not use at least some level of authenticationwe’d not use at least some level of authentication Booking a squash court, renewing a library book, paying a Booking a squash court, renewing a library book, paying a
bill?bill?
5
Private Sector ProofPrivate Sector Proof
VerifiableVerifiable PassportPassport Driving LicenceDriving Licence Utility billUtility bill Tax demandTax demand Address / Prior addressesAddress / Prior addresses
ChallengeChallenge Mother’s maiden nameMother’s maiden name Favourite colourFavourite colour Favourite placeFavourite place Date of birthDate of birth
Usually verified byUsually verified by ExperianExperian EquifaxEquifax Dun and BradstreetDun and Bradstreet etc.etc. And. for challenges, the initial And. for challenges, the initial
registration profileregistration profile
6
Public Sector ProofPublic Sector Proof
VerifiableVerifiable UTR (?!)UTR (?!) NINO (?!)NINO (?!) PAYE referencePAYE reference VAT numberVAT number Etc.Etc.
ChallengeChallenge Digital certificateDigital certificate
Usually verified by Checking the back end
system Or, for a certificate, the
certificate provider’s revocation list
7
Public Sector ComplexityPublic Sector Complexity
Me
My Accountant
My Mother
My Employer
My Colleagues
Citizen’sAdviceBureau?
Doe
s my s
elf as
sessm
ent
Do her self assessmentDo his V
AT and PAYE
Stand in for me when
I’m away
LocalAuthority?
PostOffice?
PayrollProvider
Does Payroll
Their mothers
Their accountants
8
Rules Web services
Portals Gateway
Tra
diti
onal
Bac
kend
Sys
tem
s
Who?Where?How?What?
When?What?
What’s a Gateway?What’s a Gateway?
9
Where do we stand today?Where do we stand today?
99% of transactions via userid and password99% of transactions via userid and password Simple, government focused, verifiable informationSimple, government focused, verifiable information
Vast range of potential identifiers, but much overlapVast range of potential identifiers, but much overlap
Userid is specified, password is chosenUserid is specified, password is chosen Some component (userid) sent via postSome component (userid) sent via post
No cross trustNo cross trust Each separate transaction must be separately verifiedEach separate transaction must be separately verified No joined up servicesNo joined up services
10
Network of Cross TrustNetwork of Cross Trust
BankBank
Insurance companyInsurance company
AccountantAccountant
Other intermediaryOther intermediary Citizen’s Advice BureauCitizen’s Advice Bureau
Central government Passport office DVLA Inland Revenue
Local government
NHS
Trust is all one way today
11
Network of Cross TrustNetwork of Cross Trust
Egg trusts me Egg trusts me (they let me spend money)(they let me spend money)
DWP trusts Egg DWP trusts Egg (up to a point?)(up to a point?)
DWP trusts Egg to trust me DWP trusts Egg to trust me (for benefit payments)(for benefit payments)
IR trusts DWP IR trusts DWP (for tax credits)(for tax credits)
IR trusts DWP to trust Egg to trust me IR trusts DWP to trust Egg to trust me (and pays me)(and pays me)
Southwark trusts IR …Southwark trusts IR …
The green shield stamps version of authentication?The green shield stamps version of authentication?
12
What issues do we have?What issues do we have?
Userid/password has real limitsUserid/password has real limits Simple to use, but no legal validitySimple to use, but no legal validity Works fine for banks so farWorks fine for banks so far
Banks have back end controls (funds transfer limits, monthly Banks have back end controls (funds transfer limits, monthly statements etc)statements etc)
Government userid standards horribleGovernment userid standards horrible But what are the alternatives?But what are the alternatives? Email address (not stable, easy to guess and many people Email address (not stable, easy to guess and many people
don’t like government to have it)?don’t like government to have it)? Strangely, when people fail to login, 50% get password wrongStrangely, when people fail to login, 50% get password wrong
13
More issuesMore issues
No online assurance that someone really is who No online assurance that someone really is who they say they arethey say they are Tied into the postal loopTied into the postal loop 20% of addresses are out of date20% of addresses are out of date
No “instant on” for first time usersNo “instant on” for first time users Cannot setup to e.g. send VAT returns onlineCannot setup to e.g. send VAT returns online Puts pressure on citizen when deadlines loomPuts pressure on citizen when deadlines loom
E.g. must register for self assessment 5-7 days before 31E.g. must register for self assessment 5-7 days before 31stst JanuaryJanuary
14
More issuesMore issues
Digital certificates on life supportDigital certificates on life support Technology solution hunting a problemTechnology solution hunting a problem For some departments even these aren’t enoughFor some departments even these aren’t enough
Smart cards proliferatingSmart cards proliferating But not being tied into government servicesBut not being tied into government services Limited readers, no national standardsLimited readers, no national standards Probably the only truly portable solution thoughProbably the only truly portable solution though
Mobile phone as a portable solution?Mobile phone as a portable solution? 70% of phones are pre-pay … no owner information70% of phones are pre-pay … no owner information
15
The future?The future?
Entitlement cardsEntitlement cards Biometrics?Biometrics?
Common Information DatabaseCommon Information Database One citizen identifier?One citizen identifier?
The NHS spineThe NHS spine Health record aggregation as the common link?Health record aggregation as the common link?
BT URUBT URU Part of the network of trustPart of the network of trust
All of them probably 3-5 years away?All of them probably 3-5 years away?
16
What Should We Do?What Should We Do?
Address the real issuesAddress the real issues Too easy to look to blame someone elseToo easy to look to blame someone else Authentication process is simple …Authentication process is simple …
Government forms are far, far harder to complete!Government forms are far, far harder to complete!
Focus on identifiersFocus on identifiers Which ones for which services … national standardWhich ones for which services … national standard
Construct a “one time” registration process?Construct a “one time” registration process? All key identifiers supplied, even if services are not yet onlineAll key identifiers supplied, even if services are not yet online
Help construct the network of trustHelp construct the network of trust
18
Six things to think aboutSix things to think about
1.1. There is no blueprint for joining up governmentThere is no blueprint for joining up government
2.2. Replicating what we already have is not e-governmentReplicating what we already have is not e-government
3.3. There is no silo in “citizen focus”There is no silo in “citizen focus”
4.4. Technology is not a differentiatorTechnology is not a differentiator
5.5. No-one wins when others loseNo-one wins when others lose
6.6. Having a policy is not the same as delivering itHaving a policy is not the same as delivering it
19
e-Government evolution?e-Government evolution?We’re in the trough for sureWe’re in the trough for sure
Gov
ernm
ent
web
site
s
% T
rans
acti
ons
Onl
ine
95%+
Stage 1
Stage 2
Stage 3
Maturity
2,800 websites …. £270-583 millionAM rough figure
Supplier Gain,Supplier Gain,.gov Pain.gov Pain
CitizenCitizenValueValue
5-7%, less than 3 million per year
20
What’s wrong with our websites?What’s wrong with our websites?
More than 2,800 More than 2,800 sitessites
More than 5 More than 5 million pagesmillion pages
Up to 70,000pages
Nine levelsdeep
More than 200URLs More than 300
authors
Some parts of thesite not linked to others
‘orphan content’
100s of brokenlinks
Download timemore than one minute
Poor uptime
Five different look and feels
More than threenavigation designs
The product of unplanned growthThe product of unplanned growth
21
Audience penetration (Active reach among total UK Internet users %)
Loya
lty
(Vis
its
per
per
son p
er m
onth
)
= Audience size ( ‘000 unique visitors per month)
Commercial Public sector
IndividualGovernment
sites
Usage (or lack of it)Usage (or lack of it)
Source: NNR, UK
windowsupdate.microsoft.com5,378
google.com6,281
microsoft.com6,477
bbc.co.uk4,994
ask.co.uk3,997
amazon.co.uk4,281[hidden]
loginnet.passport.com4,972
google.co.uk4,060
msn.co.uk3,674
freeserve.com3,613
dfes.gov.uk566
0
1
2
3
4
5
6
7
8
9
0 5 10 15 20 25 30 35
All govt.5,565
Central govt.4,325
Local govt.2,427
22
Do we have enough yet?Do we have enough yet?
5 million pages of content
5.5 million visitors per monthLow repeat visits per visitor£5-£10 per visitor, per year
0
20000
40000
60000
80000
100000
120000
1 21 41 61 81 10112
114
116
118
120
122
124
126
128
130
132
134
136
138
140
142
144
146
148
150
152
154
156
158
160
162
164
166
168
170
172
174
176
178
1
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
% of all government content
Pages per site
Hants
Medical Devices
Scotland
HMSODH
IR
Dorset CCCastle MorpethLondon Online
23
Countering the “rules” Countering the “rules” Customer-centric content aggregation Customer-centric content aggregation
Life events Life events life styles life styles “franchises” “franchises”
Consistent look and feel Consistent look and feel Across all government websitesAcross all government websites
Economies of scaleEconomies of scale Do it once, do it right, do it all overDo it once, do it right, do it all over
Take spend away from technologyTake spend away from technology Focus it on information and services (use the source, Luke)Focus it on information and services (use the source, Luke) Central infrastructure – local, regional and nationalCentral infrastructure – local, regional and national
Drive customer take-upDrive customer take-up Partnerships with intermediariesPartnerships with intermediaries
24
Things to Think AboutThings to Think AboutIt’s not technology for technology’s sakeIt’s not technology for technology’s sake
Opportunity to failOpportunity to fail 54% projects suffer (HMT Green Book, 2002)54% projects suffer (HMT Green Book, 2002) 15% cancelled (Chaos Chronicles, 2002)15% cancelled (Chaos Chronicles, 2002)
Over-specificationOver-specification 45% of product features 45% of product features nevernever used, 19% rarely used used, 19% rarely used The more you build, the less they useThe more you build, the less they use
No benefit likelyNo benefit likely Your return on investment begins the day you switch it onYour return on investment begins the day you switch it on
Start small, add rapidly, make it great a bit at a timeStart small, add rapidly, make it great a bit at a time High yield, low risk.High yield, low risk.
Source: Jim Johnson, The Standish Group
25
And finallyAnd finally
It’s not just about websitesIt’s not just about websites Kiosks, DTV, offline/online consistency, intermediaries etc.Kiosks, DTV, offline/online consistency, intermediaries etc. Cross-channel capabilityCross-channel capability Cohesive brand … focused marketing £Cohesive brand … focused marketing £
Integrated content and transactionsIntegrated content and transactions The more people can do, the more they’ll want to doThe more people can do, the more they’ll want to do Today’s one time “tax”, “benefit” transactions not enoughToday’s one time “tax”, “benefit” transactions not enough
The UK is far behind its peers in online government The UK is far behind its peers in online government usageusage Yet we bank and buy books online more than anyoneYet we bank and buy books online more than anyone Fragmentation, competition, squabbling make us sufferFragmentation, competition, squabbling make us suffer Too expensive to go solo (silo)Too expensive to go solo (silo)