Federated identity with high assurance
Social logins are the norm. “Click here” to login with Google, Facebook, LinkedIn, etc., choose what information you’re giving up to the relying party and go on your merry way without having to create yet another username and password that will be forgotten a minute later.
The problem with social logins is they don’t necessarily tie an identity to that account. Social media accounts are self-asserted identities and have no assurance behind them. SecureKey wants to take the idea behind social logins and add a higher level of assurance to those identities by leveraging the vetting that financial institutions have done with customers, says Stuart Vaeth, senior vice president of business development at SecureKey. “This is social login with privacy and trust,” he adds.
The company is launching SecureKey Concierge with US Bank in the U.S. This will enable US Bank customers to use the login information for their financial accounts to access other services in a secure and privacy enhancing way, Vaeth says. “This is solving two issues, password proliferation and how does a service provider verify who the user is online,” he adds.
The service builds on the SecureKey’s FedRAMP certified Connect.Gov service sponsored by GSA, USPS and NIST, and on its SecureKey Concierge Service in Canada, which has experienced a doubling of user credentials in each of the past two years.
A similar system has been running in Canada for three years with three banks, says Charles Walton, CEO at SecureKey. One of the main applications is enabling citizens to use the bank login for access the Canadian IRS but other applications are rolling out in some of the provinces. “In the first six months of the year – peak times – we generally see about 2 million transactions a month,” he explains.
SecureKey is in talks with other financial institutions about using the system in the U.S. and the company is focusing on health care for use cases, Vaeth says. Instead of relying on knowledge-based authentication for access to a health care insurer or provider, the Concierge service would use the bank credential to verify identity.
When accessing the site the user would be given the option of using a banking credential for access, Vaeth says. Instead of answering the knowledge-based quiz or undergoing another verification step, the user would enter the banking credential, consent to share the information and then US Bank would pass along an anonymous identifier. “This leverages the identity proofing that the banks have already done,” he explains.
SecureKey is working with U.S. identity and technology partners to increase the range of the Concierge service, leveraging in-market credentials issued and managed by banks, telecommunications companies, government agencies and other organizations.