Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Gov't To Issue Secure Online IDs

Posted by Soulskill on from the you-can-trust-us dept.

Hugh Pickens DOT Com writes "Tom Groenfeldt reports in Forbes that the U.S. Postal Service has awarded a contract to SecureKey to implement the Federal Cloud Credential Exchange (FCXX) designed to enable individuals to securely access online services at multiple federal agencies — such as health benefits, student loan information, and retirement benefit information — without the need to use a different password or other digital identification for each service. SecureKey already operates a trusted identity service in Canada using identification keys provided by one of five participating Canadian banks. It allows Canadians to connect with 120 government programs online with no additional user names or passwords for everything from benefits queries to fishing licenses. The SecureKey program is designed to connect identity providers — such as banks, governments, healthcare organizations, and others — with consumers' favorite online services though a cloud-based broker service. The platform allows identity providers and online services to integrate once, reducing the integration and business complexity otherwise incurred in establishing many-to-many relationships."

7 of 205 comments (clear)

  1. Re:Super Timing by Jeremiah+Cornelius · · Score: 5, Insightful

    Read as: "License to use the Internet".

    Pretty fucking clever. Soon, you won't be able to get a stock-quote or the latest XKCD without this thing - much less, send an email.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  2. Future Mandatory Requirement by cosm · · Score: 5, Insightful

    How long until these become mandatory for all websites. Here's how I could see this going down:

    - First, all major government websites require usage of this.
    - As more and more brick-and-mortal government offices close, more and more people start using the id.
    - VISA, MasterCard, et al begin requiring these for all online banking.
    - Taxable web transactions somehow get tied by law to having to use these.
    - Soon, ISPs require you to log in with it periodically, (remember AOL internet 'sessions'?)
    - All utilities, bills and such paid online start requiring it.
    - Social networks require it for 'think of the children' safety.

    ...Tinfoil futures are a sure bet....we're losing the internet right in front of our faces.

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  3. Re:Super Timing by RelaxedTension · · Score: 4, Insightful

    The NSA wants to streamline it's work with a single foreign key...

  4. Re:Super Timing by FuzzNugget · · Score: 5, Insightful

    I was just thinking... a single set of credentials for every online service, what could possibly go wrong?

  5. Re:Super Timing by Beardo+the+Bearded · · Score: 4, Insightful

    I was just thinking... a single set of credentials for every online service, what could possibly go wrong?

    ... created by the government and sent to the lowest bidder on a system with no accountability for failure.

    We'll be lucky if the oxygen tanks work properly.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  6. Re:Super Timing by Anonymous Coward · · Score: 4, Insightful

    why would we read it as that?

    Because of past history, the government has been trying to force a national ID on everyone since at least the early 2000's. Remember the Real ID Act?

    coming up for a single sign in is good efficiency, and cost savings.

    It might be good efficiency, but having a single log in for everything is the absolute worst security model you can have. It would only take one web site infected by malware to compromised your entire online presence. Even us old timers know that you don't put all your eggs in one basket.

  7. Yes. by goodmanj · · Score: 4, Insightful

    Identity verification should be a core function of a national government. This can be done right: by creating an agency that does not aggregate data, and serves no other function than to confirm that you are who you say you are when you ask it to. With proper use of two-factor keys and public cryptography, this agency can make data aggregation very difficult: your bank would know you by a different ID# than your cell phone provider, and neither would need to know your name or social security number.

    It's true that a corrupt government can do identity verification very badly, turning it into a panopticon. But corporations don't have the longevity, security, or nationwide reach to be able to do the job well, and a corrupt government can simply force corporations to hand over identity data. So in the worst case scenario, identity verification by corporation is no better than by government. And having no centralized authority at all doesn't work either: the fragmentary system we use now is easy to aggregate, and its resistance to identity theft is only as strong as its weakest link -- which is typically very, very weak.

    With identity verification managed by government, we can at least use electoral pressure to hold the identity agency responsible for its actions, and fight corruption within it. If it's managed by anyone else, we have no control over it at all.