ING Direct Canada, the branchless-bank used by 1.8 million Canadians, has become the fourth financial institution to adopt SecureKey’s Concierge service for securely authenticating onto a large number of federal Web sites.
The move means that bank customers can use the same login username and password for accessing their bank accounts to access 120 federal services. They include Services Canada, Canada Revenue Agency, Human Resources, Canadian Border Services and Immigration Canada.
It was not an unexpected: Scotiabank [TSX: BNS], a Concierge member, bought ING Direct from its Dutch parent for just over $3.1 billion a year ago. Other Concierge members are the TD Bank and the Bank of Montreal.
Toronto-based SecureKey uses the SAML 2.0 (security assertion markup language) protocol to connect endpoints through a secure cloud-based virtual private network so they can transmit and receive identity tokens.
“Now customers will have one less set of credentials they have to remember” for federal services, said Charaka Kithulegoda, ING Direct’s chief information officer.
It took about 12 weeks to integrate ING’s system into Concierge, he said.
“We are starting to get even greater critical mass for the service,” Andre Boysen, SecureKey’s executive vice-president said in an interview.
The company’s goal is to get banks to sign up for Concierge, he said. But it also want to expand the network to include provinces, municipalities and utilities.
Ultimately SecureKey wants to build an open consumer authentication marketplace that will compete with other payment networks.
While it is still early days — Concierge launched a year ago last month — Boysen said the company is satisfied with its progress. Still, he added, “there’s a lot more to do to make this authentication marketplace take off so you don’t have to have user ID and password for every (online) destination.”
To use the service on a federal Web site, when asked to register a person chooses Concierge and then selects a bank he or she already has a user ID and password for. After logging in with those credentials the bank issues a security token which is transmitted to Concierge, which passes it to the government Web site. After answering a few questions the token is bound to the user’s account.
The service is “triple-blind” — the token is anonymous, Boysen said.
As for participating financial institutions. Boysen said Concierge — which is actually a hosted cloud virtual private network service that connects the bank, the user and the government — takes advantage of a Web service they already have called Interac Online Payment for anonymous authentication. All they need to do is create a SAML service for the tokens, which takes four to six weeks.
In August SecureKey won a contract with the U.S. Postal Service to provide a similar infrastructure for the Federal Cloud Credential Exchange for accessing U.S. federal services. It launches next year.