Have DWP and GDS taken leave of their senses
suggesting that we should trust unknown third parties
with our user IDs and passwords?
The Department for Work and Pensions (DWP) identity assurance press release the other day naming seven of the UK's "identity providers" (IDPs) was commendably short. Every word counted:
"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?
13 November 2012 – Providers announced for online identity scheme
The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.
The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.
The Minister for Welfare Reform Lord Freud said:"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.
The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.
At the moment, you have to know separate user IDs and passwords for logging onto Facebook, for example, Twitter, Amazon, eBay, PayPal, your bank, HMRC (self-assessment), HMRC (VAT returns), etc ... That is very inconvenient.
GDS, the Government Digital Service, the people behind identity assurance – remember, ex-Guardian man Mike Bracken is not only chief executive of GDS but also the senior responsible
So what they propose is that you give all those user IDs and passwords to your chosen IDP and let them log on for you. You still have to remember the user ID and password you use to log onto your IDP. But as long as you can do that, you're fine, your IDP will remember all other user IDs and passwords and log on for you.
That's obviously convenient. But is it wise?
Take a look at the seven IDPs. Which one would you trust with the user ID and password for your bank accounts? And why? You've never heard of them, have you? Apart from the Post Office. They may all be eminently trustworthy. But suppose some ne'er-do-well teenager with Asperger's hacks into them and just steals all the user IDs and passwords?
Remembering all those user IDs and passwords ourselves may be unavoidable. It may be the price we pay for security. It might be convenient to have someone do our remembering for us but, if we lose our security as a result, it wouldn't be wise.
Have DWP and GDS taken leave of their senses suggesting that we should trust unknown third parties with our user IDs and passwords?
In the intervening two-and-a-bit years since the post above was written the notions of secure websites and secure communications have died a thousand times. Remember Sony. Take a look at yesterday's Telegraph, Hackers steal £650 million in world's biggest bank raid. Think back to QinetiQ.
Your only option is to minimise your inevitable losses. Make sure that if one set of defences is breached they aren't all breached. Maintain distinct logon ID-and-password combinations for each on-line service you use.
The Government Digital Service continue to try to breathe life into the corpse of their Identity Assurance programme (IDA). The service is now known as "GOV.UK Verify". GDS continue to ask us to believe against all the evidence that it is secure.
And they continue to advocate having as few logon ID-password combinations as possible on the grounds that that is convenient and the Devil take the risks. No bank would recommend that. But then the banks are liable to compensate you if your bank account is emptied by hackers. GDS aren't. If you're hacked as a result of using GOV.UK Verify, you pay.
The BBC have been drafted in to promote GOV.UK Verify. Here's an extract from BBC Radio 4's World At One news programme, 23 January 2015:
David Alexander, the CEO of Mydex, is interviewed. Mydex is one of the five "identity providers" left at GDS's identity assurance funeral. Use a Mydex personal data store (PDS), says Mr Alexander towards the end of the extract, and let that log on to all your other services for you. That will be much more convenient.
Take him, for example. Currently, he says, he has 705 logon ID-password combinations for on-line services he uses. That's awfully inconvenient. How much better to store them all in his PDS and let Mydex log on to these 705 services for him.
But hang on a minute. If one of those 705 services is hacked at the moment, he's left with 704 services that haven't been hacked. Follow his recommendation, use a Mydex PDS, and one security breach opens the door to all 705 services.
You don't need to be a genius at risk assessment to recognise the disproportionate danger of the PDS idea.
Mr Alexander is in 705 times more danger if he uses GDS's GOV.UK Verify than if he doesn't.
If someone offers you the convenience of a single logon ID-password combination, run a mile.