Wednesday, 23 March 2016

RIP IDA – UK First Government to Offer U2F-Secured Digital ID

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


We told them. On 16 April 2015. Please see RIP IDA – what they omitted from the obituary:
Where's the nationwide information campaign?

Normal people have never heard of GOV.UK Verify (RIP). GDS want the system to be live in a year's time, by April 2016. Some time soon GDS are going to have to tell 60 million people what GOV.UK Verify (RIP) is. And how it works. And why they should use it.
GOV.UK Verify (RIP) is due to go live next month. April 2016. Maybe nine days away. And still there's no attempt to tell the public what's going on.

Why this reticence?

Google never mounts a campaign to launch a new service. So the Government Digital Service (GDS) shouldn't either. But GDS isn't Google.

-----  o  O  o  -----

We told them. On 3 February 2016. Please see RIP IDA – interview tips:
Do not be embarrassed by the fact that you have never created an ecosystem in your life and do not be embarrassed by the fact that you don't have a clue how to regulate a market. Your interviewers won't ask you about that and you shouldn't ask them about their experience either.
GDS have never created or regulated a market in their lives. And it shows.

-----  o  O  o  -----

The London Stock Exchange regulates its market. Among other things, they operate a regulatory news service, RNS. GDS could have learnt from that.

Instead, they rely on the haphazard use of Twitter to tell the public what's going on in GOV.UK Verify (RIP)'s intensive care unit.

Sometimes new "identity providers" are fulsomely welcomed on board, e.g. Barclays. Sometimes GDS forget to welcome them, e.g. Morpho. That wouldn't happen with an experienced RNS.

There are 100 companies in the FTSE-100. When a new one joins and an old one leaves, that's big news on RNS. For a long time now, there were supposed to be nine GOV.UK Verify (RIP) "identity providers". Then PayPal pulled out. Explanation from GDS? None.

GDS still list eight GOV.UK Verify (RIP) "identity providers" – Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. But Verizon have been closed to new business for over a fortnight now. "More news on this soon", said GDS on 8 March 2016. Since then? Nothing.

A London Stock Exchange marketmaker has to promise to make a market. Otherwise, they lose their membership of the Exchange. They can't just suddenly stop trading. There have to be bid and offer prices on which they will trade at all times. Verizon have stopped "making a market" for over a fortnight. And the consequences? As far as we know, none.

All companies with a full listing on the London Stock Exchange have to abide by the same Exchange rules. That's how you run an orderly market.

With GOV.UK Verify (RIP), some "identity providers" are certified trustworthy by tScheme and some aren't. Why should the certified companies bother to go to all the hard work of obtaining approval if GDS, their regulator, lets other companies operate without approval?

Digidentity, Experian, GBGroup and Verizon are certified trustworthy by tScheme. Barclays, Morpho, PayPal, Post Office and Royal Mail aren't. It's a recipe for creating unhelpful tension in what should be an orderly market.

If you open an account with a London Stock Exchange member to buy and sell shares, you expect it to be straightforward – what you see is what you get. Your account with Barclays Stockbrokers, for example, is an account with Barclays Stockbrokers, not someone else.

Far from straightforward, if you register with GOV.UK Verify (RIP) using Barclays as your "identity provider", it turns out that they rely on Verizon. And if you think you've registered using Royal Mail as your "identity provider", think again. Royal Mail have their accounts managed for them by GBGroup. There's some sort of a tie-up between Digidentity and Post Office as well.

Just who are you dealing with? It's far from clear.

That's not helped when Morpho call themselves "SecureIdentity" and GBGroup call themselves "CitizenSafe".

You've never heard of most of them, have you. Because GDS have never told you anything about them. And yet GDS expect you to trust them all equally, all nine eight seven "identity providers". GDS expect you to trust them with your identity.

The public are being lured into a chaotic identity assurance system, GOV.UK Verify (RIP).

Take for example a tweet that appeared this morning out of nowhere from a company no-one had ever heard of, Yubico.

Apparently, if you're registered by Digidentity, you could also be dealing with Yubico, did you but know it.

Some of the time, GDS think we're all idiots. Some of us can't handle apostrophes or even capital letters and GDS promise that in everything they write no-one will be excluded.

These same people, defeated by capital letters, are meant to be able to make a sensible choice between Royal Mail/GBGroup/CitizenSafe, Barclays/Verizon and Digidentity/Post Office/Yubico.

Here's what Yubico had to tell us this morning. With no public information campaign by way of preparation, who knows what the capital letters-challenged members of the population or anyone else is supposed to make of it?
The UK has spent the past five years on a digital transformation that is setting a world standard [only time will tell, the rest of the world may say thank you but no thanks] for how citizens securely interact with government online services.

The UK’s Government Digital Service (GDS), which came online in 2011, will add in a few weeks a new verification service called GOV.UK Verify [RIP] to this impressive project [this impressive project described by the ex-deputy director of GDS as putting lipstick on pigs].

Digidentity is one of the original identity providers (IdP) for GOV.UK Verify [RIP] and will offer support for the YubiKey and the Universal 2nd Factor (U2F) protocol [what's that then?]. UK citizens can now use a YubiKey as a second authentication factor to access their Digidentity accounts [but GDS said GOV.UK Verify (RIP) is already secure, do you need a YubiKey as well to make it really secure, are the other IdP services less secure because they don't use YubiKeys?], while the country rolls out the first government service in the world to support U2F.

This is an important milestone for both citizens and governments looking to leverage identity data [you weren't looking to leverage identity data, were you, you just wanted to submit your tax return] to secure services while safeguarding privacy. The combination of secure authentication and federation/single sign-on is required for digital services to scale.

GOV.UK Verify uses a host of identity providers who validate a citizen’s personal data, store that data [and share it out of your control with several other organisations anywhere in the world], and verify the user is who they say they are when they attempt to access government digital services. The IdP’s [bit of apostrophe trouble there] are part of an identity federation established as part of GDS.

The GOV.UK Verify program has been running in beta for the past 18 months [25 months]. The program supports 13 services [9 services according to GDS, 8 if you discount rural payments, which doesn't exist] spread over five government departments, but it will have 50 services [time will tell] and 10 departments signed up when GOV.UK Verify goes live in early April. The service will support 90% of the UK’s adult population [66% account creation success rate at the moment but there are a few days left for that to improve], according to the UK government.

“UK citizens can easily purchase a FIDO U2F device online and register it with Digidentity, [how easily? how much does a FIDO U2F YubiKey cost?]” says Marcel Wendt, Digidentity CTO and co-founder. “With a quick online process, the user’s identity is verified [does Digidentity not work, then, without a YubiKey?] and tied to the U2F device, and the data is encrypted to safeguard a user’s privacy [otherwise we have no privacy?].”

Today, verifying identity is mostly done via manual processes [possibly because, when it's important, that's how it has to be done], such as asking people to send identity evidence via snail mail or show ID in-person at a counter service. Those are cumbersome and time-consuming tasks [no snail mail involved when you opened your Amazon account, was there? What are Yubico talking about? There was no snail mail because Amazon piggy-back on the work done by your credit card supplier who piggy-backs on the in person work done by your bank] for people needing access to online services using their digital identity credentials.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F YubiKey device into their computer’s USB port, and then touches the device [if I insert your YibiKey and touch it, does that mean I am you?]. There are no drivers or client software to install [but will it fill in your tax return for you?]. Later this year, U2F authentication via Near Field Communication (NFC) and Bluetooth will be supported by Digidentity for secure login from mobile devices.

Digidentity’s ground-breaking IdP service with strong authentication is another example of how Yubico helps secure online identities and innovates to make those identities easier to use and and available to everyone [do you want to be available to everyone?].
Best of luck to Sir Jeremy Heywood. And the British public.

----------

Updated 31.3.16

One of the goals of the GOV.UK Verify (RIP) identity assurance programme is to "grow a new market for identity services in the UK".

CitizenSafe announced the other day that GOV.UK Verify (RIP) is replacing the Government Gateway. In an orderly market the case of the Government Gateway, that announcement should come from a politician or from an official, not from a £2 dormant company no-one has ever heard of.

The Government Gateway is used by companies to submit their annual returns and accounts to Companies House and to submit their tax returns to HMRC. GOV.UK Verify (RIP) can't verify companies. GDS confirm that doing so is "not currently on our roadmap". So CitizenSafe are wrong – GOV.UK Verify (RIP) can't replace the Government Gateway.

Is the announcement made by UKAuthority.com any more reliable?

They suggest that the introduction of two-factor authentication (2FA) by using YubiKey (please see above) with GOV.UK Verify (RIP) is a good thing. It puts GDS up there with Google and Dropbox. ieg4, whoever they are, are equally enthusiastic.

But GOV.UK Verify (RIP) has had 2FA from day one. Copied from the UK retail banks who've been doing it for years, account-holders have to enter a one-time password texted to their mobile phone. Why are UKAuthority.com and ieg4 and Digidentity pushing the unknown YubiKey?

Do GDS endorse YubiKey?

Even if they do, Yubico's terms and conditions of business say, in capitals: "F. Warranty Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, YUBICO PROVIDES THE PRODUCT AND THE YUBICLOUD “AS IS”. BY USING THE PRODUCT AND/OR YUBICLOUD, USER ASSUMES ALL RESPONSIBILITY AND RISK OF USE OF THE PRODUCT AND/OR YUBICLOUD WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT".

The wrong people seem to be making the wrong announcements in GDS's new market for identity services in the UK.

GDS have lost control before their market has even opened and long after everyone else like the banks is/are up and running with tens of millions of account-holders and years of successful experience.

For some reason GDS want to drop millions of people who can't handle apostrophes or even capital letters (please see above) into this pit. How are they supposed to decide whether to buy a YubiKey? Is it unsafe to use GOV.UK Verify (RIP) without a YubiKey?

When? When do GDS think it's sensible to go live with GOV.UK Verify (RIP)? "Early April". That could be as early as ... tomorrow.


Updated 8.4.16

GDS have never created or regulated a market in their lives.
And it shows.

GDS are forever changing the GOV.UK Verify (RIP) registration dialogue.

They have recently introduced the following screen:

Three of their "identity providers" can verify you now, they say. The other five are useless – they are unlikely to be able to verify you based on your answers.

This is blatant nonsense – DMossEsq has been verified by no less than four of the "identity providers" deemed by GDS to be useless.

Talking nonsense doesn't help GDS to operate an orderly market. Neither does promoting the interests of three of its suppliers ahead of the other five.

If you're in any doubt, incidentally, which are the useless five "identity providers" according to GDS, click on Show all companies and you'll see:

Five useless GOV.UK Verify (RIP) "identity providers"


Update 12.4.16

This morning, Computer Weekly magazine told us that UK cyber crime growing exponentially. This afternoon, the BBC told us that Security snapshot reveals massive personal data loss.

No news there. Everyone knows the web is a dangerous place to do business.

And everyone knows that the security measures adopted to protect us users can themselves breach our security – there was ElReg last Friday, telling us that US taxmen pull plug on anti-identity-theft system used by identity thieves:
When the IRS [US Internal Revenue Service] admitted last month that 700,000 people's old tax returns – which are full of sensitive personal information – had been sent to scammers, it enrolled those affected in the PIN system.

In total this year, the IRS has issued 2.7 million PIN codes. But the scammers got wise, and used 800 of them to file fraudulent tax returns to redirect people's refunds to the criminals' bank accounts. Now the IRS has stopped the system.
How long before the YubiKeys (please see above) being sold to protect users of GOV.UK Verify (RIP) over the YubiCloud turn out to be used by fraudsters to unlock your personal information?

 And how long before the UK's Government Digital Service stops luring victims into GOV.UK Verify (RIP) with its irresponsible claim that it's "secure"? Without qualification, just "secure":


4 comments:

Anonymous said...

Hi, just a quick note re: FIDO/Yubikeys...

As someone who has a basic grasp on the technology involved here, whether or not Yubico are involved is basically irrelevant. They state in their press release that the standard being used is FIDO U2F, which is now being managed by W3C (You may not have heard of them, but they manage the standards which allow your computer to display websites). It doesn't interact with or require the 'Yubicloud' in any way. There are alternative providers of FIDO U2F compatible keys.

Which isn't, sadly, to disagree with the central point that GOV.UK Verify is likely to be stillborn.

David Moss said...

Thank you for your comment, Anonymous @ 17:20 on 10 May 2016.

The plans for GOV.UK Verify (RIP) were probably hatched in 2007
when the Crosby report came out
and made the failure of the ID cards scheme
clear for all to see.

We lost nothing when the ID cards scheme was finally canned in December 2010
and there is nothing to lose if GOV.UK Verify (RIP) is canned now.
This is no occasion for sadness.
Except, perhaps, for Yubico.

Anonymous said...

Yubi has been around a very long time and is a well respected company as far as one time password keys and security keys go. FIDO U2F is a well regarded security standard, not some random thing plucked out of the air. You can use it on GitHub/Google etal; but in most cases sites allow you to fall back to using Google Authenticator (2FA) or as a backup SMS (not quite 2fa).
There is a difference in these techniques, their vulnerabilities and issues which it helps to understand before rambling. https://nakedsecurity.sophos.com/2014/11/14/understanding-the-options-2fa/
The "YubiCloud" is an optional part and not in anyway a mandatory option, I doubt GDS will be using that as it's pretty simple to use their own code for verification. Google/Github don't. In fact it's mostly used by wordpress plugins from what I've seen, so it's simply provided to lower the barrier to entry for extra-security.

I'm not a huge fan of the new system, but you seem to have an ill informed axe to grind.




David Moss said...

Thank you for your comment, Anonymous at 10:43 on 17 June 2016.

My contention is that GDS are not running an orderly market. That is the axe I am grinding. Among other matters, GDS are not informing people properly about the new system, of which even you say that you are "not a huge fan".

Post a Comment