One ID for many sites? How a federated credential exchange works.
- By William Jackson
- Aug 23, 2013
Development of the Federal Cloud Credential Exchange will begin this fall and testing is expected to begin in January, so the details of how it will work have not yet been worked out. But SecureKey Technologies, whose briidge.net Exchange cloud platform has been selected for the one-year pilot being operated by the U.S. Postal Service, already provides similar services for the Canadian government.
The briidge.net Exchange is a cloud-based credential exchange that allows multiple organizations to trust ID credentials that have been issued and authenticated by a third party. This lets citizens use usernames and passwords they already have from one organization — a bank, for example — when logging in to a government website. This can simplify life for the end user and for the agency that no longer has to manage its own usernames and passwords.
SecureKey’s chief marketing officer Andre Boysen said FCCX is expected to work much like Canada’s Concierge credential exchange. Here’s what the process could look like:
- The citizen will navigate to the website of a participating federal agency via a browser and will be offered options for logging in that will include FCCX.
- Upon clicking the FCCX box, the log-in request is redirected to the cloud-based service operated by USPS. A box will be presented offering the third-party certificate providers participating in FCCX.
- The user can click on a credential provider he already has a relationship with, such as a bank or other service provider.
- The request is directed to a log-in page from that credential provider, where the normal username and password or other log-in methods are used to authenticate identity.
- If the log-in is accepted, the credential provider creates an anonymous token saying, in effect, that “the person who originally enrolled in this account is here now.” This token is passed to the FCCX server.
- FCCX anonymizes this token so that the identity of the third-party issuer now is hidden, and passes it to the relying agency.
- If the agency recognizes the token as that for a user already enrolled in its system, and if it meets the proper level of assurance, the user is logged in. If the user is not already enrolled in the agency system, he must go through a first-time enrollment process.
- Anonymous tokens sent to different agencies for a single user will be different, so that log-in activity for an individual cannot be tracked across agencies.
Even though personal information of the user is hidden during this process, the system works because participating agencies agree in advance to trust the identity proofing and authentication process of the third-party credential providers. FCCX credential providers will be approved under the Federal Identity, Credential and Access Management program. There currently are 13 credential providers approved under FICAM.
William Jackson is freelance writer and the author of the CyberEye blog.