- Kable, Tuesday 14 July 2009 14.04 BST
People are becoming more familiar with the idea of two factor authentication. If nothing else, the growing number of banks that require their customers to use a card and reader to produce a special code for some transactions is ensuring that the public becomes used to the concept, even if many have never heard of the term.
Now the government is on the verge of a major implementation that could provide the foundation for the way it controls access to sensitive data in a wide range of databases and information stores. It is in the early stages of rolling out the Employee Authentication System (EAS), providing a two factor authentication process for staff designed to control their ability to view only the sections of systems deemed appropriate to their roles.
It is already being used by a number of staff in the Department for Children, Schools and Families (DCSF) for access to the departmental intranet, and will soon face a stiff test when the first staff to use the controversial ContactPoint database on children will be equipped with EAS tokens and passwords.
Beyond that, its developers hope it will emerge as a crucial shared service for authentication in a range of government processes. The idea is that it will enable users to be registered once for access to multiple applications through single token. Given the sporadic success of the drive for shared services and the prospect of a tightening of public finances, there must be plenty of people in Whitehall hoping that it can deliver on its promise.
Its development has been led by the DCSF with the co-sponsorship of the Department for Work and Pensions (DWP) and Communities and Local Government, along with support from a number of local authorities. The service works through a process in which registered users are given PIN numbers, which are used with the tokens to generate pass codes for access to systems.
A registration authority validates a user's identity and registers them with the EAS, while an enrolment authority then gives them access to different applications, subject to meeting the specified requirements. It is likely that there will be a heavy overlap between the registration and enrolment authorities.
The EAS Identity Provider (IdP) Service stores information it receives from the two authorities on the user and the services they are entitled to access. In addition, local authorities and the NHS will be able to run their own IdPs.
At the hub of the service is the authentication broker, a role the Government Gateway is playing for ContactPoint, coordinating the requests for authentication between identity providers and services. This provides the necessary integration with service providers' systems.
John Skipper, design authority lead for the EAS, says the choice of two factor authentication was one of the crucial decisions in the development of the service.
"The main pressure behind the choice of two factor authentication was that it could provide the highest practical level of confidence in the people who could access the system," he says. "This is especially important as we want it to be a re-useable service for access to sensitive information.
"It provides a good knowledge of who the individuals are, with identification for the authentication process, access and system privileges. A user name and password was not good enough at this level, so we've decided on using the token and PIN number.
"The EAS supports tokens and cards, but our preference for tokens with the roll out is a matter of economics. The readers for cards are more expensive, and you have to carry the card and the reader; but there could be a good
economic justification when the card can be used for other purposes."
He says the tokens use an open authentication protocol and can come in a number of forms. Those being used for the roll out are smaller than a credit card and provide a keypad for the user to type in their PIN number. An LCD display then produces a password for one time use, which the user types into the EAS portal for access to the system.
If they are trying to find non-sensitive information they can log in from anywhere, but for sensitive information the computer they are using has to meet the requirements for access to the server. The extent of the access for a computer depends on the service provided by the organisation to which it belongs.
The token provides another level of security as the codes it generates will be tied to the role of the user. For example, someone in social services will obtain a code that enables them to access the relevant system, but not anything in a field such as education that is not relevant.
The access privileges are filtered through the Government Gateway, ensuring that users can only get to information that is appropriate to their role. Only the EAS interface, not the Gateway process, will be visible to the users.
Skipper says this approach was influenced by what the banks have done with the BACSTEL-IP service for clearing money transfers via the internet, but that that it made sense to use the Government Gateway as it has already developed a successful brokerage role in authentication for public services.
The registration process that underpins this meets the requirements for level three authentication of the e-Government Interoperability Framework, and has been accredited under tScheme, the industry led regulatory scheme for trust services.
The cost of a token is estimated at £10 per user, with a £3-4 annual service charge. If one is lost, the holder has to notify the EAS helpdesk immediately and there is a process for its replacement.
Most of the organisations with access will also be able to act as registration and enrolment authorities. More than 100 had signed up for the first stage of the roll out, nearly all local authorities as well as the DCSF and the DWP, but Skipper says he expects that over time other types of authority will also take on the roles.
"This reflects the key principle of re-use of the system," he says. "This has two benefits: keeping costs down for putting in place an identification verification service; and simplicity and convenience for the end user."
He says that some officials, such as school head teachers, currently have to use a handful of different tokens to access different systems during a normal working day. One of the advantages of the EAS is that it could provide a single mechanism, requiring the use of just one token, to get into a range of systems. In its presentations, the DCSF has highlighted the prospect of a teacher using a token to access ContactPoint and the e-Enabled Common Assessment Framework (eCAF).
The first registration authority began to issue the tokens on 8 June, coinciding with the beginning of training in the use of ContactPoint for 800 staff in local authorities and a few third sector bodies in the north-west. The first council is expected to begin using the system during July, with implementations planned for two groups of 15 before the full national roll out begins in October.
Skipper says that during the pilots the EAS team will evaluate the use of the tokens with ContactPoint and the DCFS intranet.
"We're doing this in a measured way because it's a security critical project. We're not rushing to push it out indiscriminately."
Looking further forward, he says the department is in discussion with other bodies about extending the use of the system into a dozen or so other applications. While most of these are currently confidential, the DCSF has publicised plans to use it for some of its own applications, such as the Edubase schools information database, and for the DWP's Customer Information System from next year. There is also a strong potential to use it with the Government Connect Secure Extranet, which has been developed for secure interactions between local authorities and government departments.
He is eager to point out that the system has been developed through central and local government working together.
"It was sponsored by three government departments, with initially eight local authorities taking part, and this has now risen to 100 that have contributed to the establishment of the standards," he says. "We've got a number of groups of local authorities working together to access local and regional applications, in three cases funded by regional improvement and efficiency partnerships.
"You can see the efficiency benefits in a robust shared system."
No doubt the connection with ContactPoint will ensure the EAS comes under some sharp scrutiny in its early days, but passing that test would provide a great boost for its potential as a shared service. It could become one of the core features of the government IT landscape for the next decade.
First published in GC magazine, July-August 2009. Apply for a subscription
