Province of B.C. readies federated identity model

British Columbia government employees, and private sector organizations contracted to provide public services, will soon have wireless access to the networks of about 500 public agencies via a virtual card housed on a computer.

A sister pilot will provide similar access to citizens to visit the province’s government Web sites.

The virtual cards, or managed information cards, are designed to facilitate entry through the agencies’ various IT infrastructures that would otherwise require separate username and password accounts.

The cards are “not a physical thing, it’s a logical thing,” explained Ian Bailey, director of application architecture with the Government of British Columbia, adding that the cards reside on a user’s computer, may not be copied on to another computer, and can be used only by the card owner.

The methodology is based, in part, on claims-based authentication technology by Islandia, N.Y.-based CA Inc.

The company’s senior vice-president and chief architect Vadim Lander explained that the cards themselves don’t contain private information about the user. They instead hold references to claim providers, which are third-party authentication authorities that validate the user’s credentials.

When a user access a service with a virtual card, the validated credentials are then sent to the application so it can render a service to the user. “That process of asserting that the identity is good to go is the authentication claim,” said Lander.

Enhancing the privacy of individuals was certainly one driver behind the government launching the virtual cards, said Bailey. Another was having a scalable platform from which to easily connect with different organizations, be it public or private sector.

“It’s really not going to be possible with existing systems to do the kind of scale of services that we think we should be giving,” he said. Over the past year, the B.C. government has worked with its IT suppliers to design an identity system for providing government services. One of the products that emerged, following the design’s completion, was the virtual card.

It’s also a familiar paradigm for users, not unlike using a credit card to receive a service, said Bailey. In addition, the issuer of the card, in this case the government, can’t track a person’s use of the card. “The government can’t figure out the services you’re using because that would be an invasion of privacy.”

Virtual cards are immune to phishing sites that can steal a person’s username and password. However, with claims-based authentication technology, Bailey said, hackers might get their hands on the card, but the information will be useless to them.

Besides its use on PCs and notebooks, Lander said claims-based authentication technology is applicable to devices like cell phones, USB flash keys, smart cards or anything that fits in your wallet. “The whole idea is for you to be able to leverage what’s already in your pocket to access a service without worrying about whether your machine is up to date,” he said.

In fact, the methodology behind virtual cards is applicable to enterprises looking to provide remote or traveling employees secure and easy access to the company network through notebooks and Blackberries, said Lander.

Although he acknowledged there is always the risk that mobile devices will be stolen or lost, he stressed the cards don’t hold private information about the user. “That is an added layer of security because the cards themselves don’t necessarily carry those credentials; you still have to authenticate them with a service provider,” he said.

Bailey said enhanced security and privacy are good enough reasons for using the virtual card over less secure username and password systems; however, adoption could be impeded by lack of knowledge around the technology.

Another impediment, he added, is people are still running outmoded computer systems at home that won’t support virtual cards. The technology will support both proprietary and open standard platforms. Lander foresees the proliferation of claims-based technology leading to the emergence of claim providers that will manage that risk on behalf of businesses.

If the pilots prove successful, Bailey hopes to see the initiative adopted nationwide. The pilots are scheduled to launch early next year.

Related content:

Understanding federated identity

Stupid tags don’t make smart cards

One entity, one identity

The politics of digital identities

Rethinking the ID registry