O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

2019 | Use of Standards & Open Source in Provincial Identity Solutions | Identiverse | Day 2, June 26

107 visualizações

Publicada em

The Province of British Columbia has been on a journey towards enabling convenient and secure citizen access to digital services. A new Provincial identity credential, known as the BC Services Card, was established, first issued in February 2013, and has now been issued to all eligible B.C. residents (~4.7 million).

The BC Services Card contains an EMV contactless chip; the B.C. identity team started with building an authentication service for NFC card readers for citizens’ laptops. Then we built an Android app that could act as a card reader. But we also needed a solution for iPhones and iPads. We waited and waited for Apple to allow NFC…

We explored the idea of building a mobile app as a credential, in place of a card. Easy, right? We just needed to issue private keys to each mobile device in the Province. Without deploying an enterprise MDM to citizens’ devices. On a short timeframe. Developing the first mobile apps within the Province.

We figured it out! We met the business need and developed really cool apps that we launched in 2018. We will tell you about our journey of how we designed our solution. How our mobile apps and servers exchange information to register credentials (devices) dynamically and securely, authenticate and authorize credentials for use with the server, and represent and interpret claims and assertions securely. We will tell you about how open standards and open source helped kickstart our solution, and how others in the Identity community supported us.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

2019 | Use of Standards & Open Source in Provincial Identity Solutions | Identiverse | Day 2, June 26

  2. 2. ® BC Services Card • Introduced to the public in 2013 • Now issued to 4.7m residents (95+%) • Adults and children • 5 year renewal cycle • New government-issued photo ID • Can be combined with driver’s license • Basis for new digital ID, trusted data • Has contactless chip
  3. 3. ® Chip Authentication Solutions • Introduced in 2014 • 2FA using BC Services Card, delivering verified identity attributes • Service at government counters • USB card reader: chip + photo match • Login to government websites • USB card reader: chip + passcode • On Android (built-in NFC technology) • From mobile devices
  4. 4. ® New Mobile Card Solution • Representation of physical card in a mobile app • Design Apple and Android, phones and tablets • Using personal phones instead of card readers • Mobile device/app as credential • 2FA with device for login to government website • Leveraging built-in device security • Passcode/PIN, TouchID, FaceID, etc. • Without enterprise MDM • First mobile apps by B.C. government
  5. 5. ® Demo Setting up and Using a Mobile Card to access a website
  6. 6. ® Pitch initial concept to executives Vetted with several attendees at CIS Development of Prototype 2016 2017 2018 User Testing Launch! User Experience Design Reviewed with Expert Advisors Development of Mobile Card, Verify at Counter Security and Privacy Assessments 25,000 mobile cards in use … so far! 2019 Development of Verify by Video More User Testing Timeline
  7. 7. ® Key Patterns and Standards Each mobile app is an OIDC client • OIDC Discovery • each app instance can refresh the provider configuration • OIDC Dynamic Registration • each device is a unique client with its own private key • OpenID Connect Core: authentication, id_token, userinfo, access tokens • JWK/JWA/JWE/JWS • OpenID Connect with OAuth2.0 Device Flow
  8. 8. ® Key Open Source Libraries • MitreID OpenID Connect • Nimbus SDKs for OIDC client and JOSE
  9. 9. ® Discovery
  10. 10. ® Discovery
  11. 11. ® Dynamic Registration
  12. 12. ® Authentication Request
  13. 13. ® Token and UserInfo Requests
  14. 14. ® Technical Challenges • Lack of Swift libraries for JWS and JWE crypto (in 2016) • Developed custom library based on existing SDKs using Common Crypto • Push notifications • Originally considered as a trust component, moved to receipts and attestations • Unexpected network drops and timeouts • resulting in new access token granted by the server, but never received by the client
  15. 15. ® Learnings • Is the mobile app a standalone credential or derived? • Mixed model. Standalone with its own lifecycle and expiry date, however impacted by physical card state changes • Key rotation triggers and frequency
  16. 16. ® Ongoing ideas • Is a single mobile app instance one client or multiple clients? • Can a “mobile card” be used for in-person scenarios? • How will our solution integrate with other emerging solutions?
  17. 17. ® Conclusion • Thank you to CIS / Identiverse and this community • A great place to learn and meet experts • Open standards and open source accelerated our project • Kickstarted our solution, not inventing custom • Built confidence with our executives • Flexibility and extensibility
  18. 18. ®