Today’s post comes from David Oates, Vice President, International.
Later this month the Department for Work and Pensions will be revealing the first suppliers of the UK Government’s proposed Identity Assurance programme (IDA), which will allow people to access public services using third party logins. Described on a gov.uk blog as being less about identity and more about trust, this could well prove to be right if rumours of Facebook being included prove to be true.
As more and more services go online the Government wants to make it simpler and more user friendly for us to login. They haven’t mentioned that one of the largest expenditures in customer service support is often over password management and outsourcing it will save them money too, but as tax payer you won’t hear me complain about it in principle.
It’s not a new idea and is already used in Europe. In Sweden for example citizens can apply for an e-Identity online via their own bank, which enables them to alter their tax forms. This makes sense, the strict regulation around anti-money laundering etc means that banks have to know their customers.
But the rumoured inclusion of using social networking sites has me concerned. Using Facebook logins as a passport to other applications and services is becoming very popular, particularly with comment sections on websites. One of the reasons for this is its self policing and cuts down dramatically on the comment spam that many website owners have to deal with it. However, whilst Facebook strongly advocates real identities, it doesn’t have the same incentive as financial institutions to ensure you are who you claim to be.
Single sign-ons have always been looked upon with dubious eyes by security professionals. It provides a single point of failure and general advice has always been to use a different password for every login. This of course has led to password fatigue, but the point has become moot anyway. With so many sites offering the ability to login with third party identities all a criminal needs is one social media id to access any number of sites to impersonate you.
First in line for the IDA treatment is Universal Credit, a replacement for the current benefits system that will be launched next April. The Government has said that there will be “Levels of Assurance” that third party id providers must reach depending on the critical level of the government service being accessed. One can only hope, given that benefits is an enormous target for fraud, that the proposed IDA providers will be able to offer more of a guarantee of identity than a valid email address.
Sandra Bullock’s loss of identity in The Net always used to seem impossible. But now imagining your whole government identity circled around a Facebook login I’m not so sure – unless of course Facebook is about to reveal a new facet in its service.