“We want to make the authentication of people over electronic systems convenient and secure,” says Charles Walton, CEO at SecureKey. Founded in 2008, Toronto-based SecureKey is a relative newcomer to the identity market. Its focus is twofold: place secure identity credentials on mobile devices and create identity ecosystems that use credentials consumers already have.
One of SecureKey’s first entries into the market was incorporating its security software into Intel’s Management Engine, a secure coprocessor used in the company’s Ultrabooks. After several years of effort, the technology is just now being introduced.
The Management Engine acts as a secure reader that interfaces with SecureKey’s cloud-based authentication service, Walton explains. It can be accessed by different applications that require access to the security kernel. Some Intel Ultrabooks have built-in NFC capability enabling a user to tap a card or NFC handset on the computer to be authenticated.
A consumer could make a payment with a contactless card using the technology or the same payment card could be registered and used as an identity token. The system would verify the credential data, authenticate the card as well as the computer and then authorize the transaction.
SecureKey demonstrated its technology being used for online payments at the 2012 Intel Developer’s Forum. An NFC-enabled Ultrabook was used to make a purchase using a contactless credit card. When the card was tapped the required form was auto-filled and the payment transaction processed.
The technology can enable other non-payment transactions as well. “The same PayPass card could be tapped and instead of invoking a payment we could login to a home bank account,” Walton says. This ties into one of SecureKey’s main areas of focus–using existing credentials to secure additional types of transactions.
This is the type of system that SecureKey is building for the government of Canada, Walton says. The Canadian government has been working to federate identity so citizens can access services online using a strong identity.
The first credential providers for the project include BMO Financial Group, TD Bank Group and Scotiabank. SecureKey’s Credential Broker Service enables bank-issued online credentials to be used for authentication to social benefits agencies, employment benefits and the Canadian IRS.
Canadian citizens have a choice of whether or not to use the system. When they visit a government site they can choose to create a new login that is unique for the government site or use their banking information. If they choose the latter they are directed back to the bank site, asked to login and provide required identification information. Once verified, they are able to use the user name and password from their bank for access to the government site.
When a user authenticates with their bank, the bank will give SecureKey a non-identifying security token. SecureKey then substitutes the token with a new non-identifying but unique token for the Government of Canada that says the user has been authenticated.
The Credential Broker Service is triple-blind meaning no party to the transaction knows who has provided precisely what information, thus ensuring the user’s privacy. SecureKey is simply a broker of anonymous credentials. The Government is responsible for ensuring that it is actually you accessing your information. The bank is responsible for providing a valid security “token” that only you have so that you connect to Government services more securely.
Eventually those with contactless payment cards will be able to tap them on laptops or readers in order to gain access to government systems, Walton says. The project is moving in this direction but readers have not yet been deployed.
Federating identity in Canada and around the globe
Canada isn’t the only country seeking to enable high assurance credentials for online citizen identity. The UK, Australia and U.S. all have initiatives underway to help facilitate privacy enhancing, secure identities on the Web.
Walton envisions a future where a chip-enabled ID card could be tapped on a computer and used to access government resources, make a purchase or make a doctor’s appointment. “This framework can become a multi-agency, multi-purpose ID,” he says.
SecureKey is looking for “anchor points” in different markets from which to build. For example, if a financial institution with an airline partnership signed with SecureKey, the banking credential could also be used for access to the airline web site and rewards program. It could even extend further, serving any of the financial institution or airline partners.
Establishing anchor points in addition to having more NFC-enabled devices in the market will make strong authentication easier, Walton says.
When SecureKey was started in 2008, its idea to use contactless cards and NFC for login to sites was the same. But laptops with embedded card readers were virtually non-existent.
To fill this void, SecureKey developed a USB reader that could create the same experience without an embedded reader, Walton says. The reader looks like a flash drive but serves as a fully functional contactless card reader when plugged into a computer’s USB port. Today, these readers are being rolled out in Canada for use in its identity project.
Oftentimes the biggest obstacle to identity projects is credential issuance and identity vetting. SecureKey strives to make use of credentials that already exist and takes advantage of identity vetting processes already in place. Using credentials and systems that consumers already use will go along way to increasing identity security online, concludes Walton.