locks

One ID for many sites? How a federated credential exchange works.

Development of the Federal Cloud Credential Exchange will begin this fall and testing is expected to begin in January, so the details of how it will work have not yet been worked out. But SecureKey Technologies, whose briidge.net Exchange cloud platform has been selected for the one-year pilot being operated by the U.S. Postal Service, already provides similar services for the Canadian government.

More FCCX

USPS set to put federal ID system to the test

The Postal Service will set up a pilot of the Federal Cloud Credential Exchange this fall and begin testing in January, using SecureKey briidge.net Exchange — which already provides similar services for the Canadian government. Read more.

The briidge.net Exchange is a cloud-based credential exchange that allows multiple organizations to trust ID credentials that have been issued and authenticated by a third party. This lets citizens use usernames and passwords they already have from one organization — a bank, for example — when logging in to a government website. This can simplify life for the end user and for the agency that no longer has to manage its own usernames and passwords.

SecureKey’s chief marketing officer Andre Boysen said FCCX is expected to work much like Canada’s Concierge credential exchange. Here’s what the process could look like:

  1. The citizen will navigate to the website of a participating federal agency via a browser and will be offered options for logging in that will include FCCX.
  2. Upon clicking the FCCX box, the log-in request is redirected to the cloud-based service operated by USPS. A box will be presented offering the third-party certificate providers participating in FCCX.
  3. The user can click on a credential provider he already has a relationship with, such as a bank or other service provider.
  4. The request is directed to a log-in page from that credential provider, where the normal username and password or other log-in methods are used to authenticate identity.
  5. If the log-in is accepted, the credential provider creates an anonymous token saying, in effect, that “the person who originally enrolled in this account is here now.” This token is passed to the FCCX server.
  6. FCCX anonymizes this token so that the identity of the third-party issuer now is hidden, and passes it to the relying agency.
  7. If the agency recognizes the token as that for a user already enrolled in its system, and if it meets the proper level of assurance, the user is logged in. If the user is not already enrolled in the agency system, he must go through a first-time enrollment process.
  8. Anonymous tokens sent to different agencies for a single user will be different, so that log-in activity for an individual cannot be tracked across agencies.

Even though personal information of the user is hidden during this process, the system works because participating agencies agree in advance to trust the identity proofing and authentication process of the third-party credential providers. FCCX credential providers will be approved under the Federal Identity, Credential and Access Management program. There currently are 13 credential providers approved under FICAM.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Aug 27, 2013

This is still a binary system: you are in or you are out. It also relies on the very insecure user name/password scheme. This makes the system inherently insecure since there is little or no multi-factor authentication. This is a disaster waiting to happen.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above