Small hopes for the future of digital ID in Canada
It’s April, so like most Canadians, I spent a lot of time logging in to the Canada Revenue Agency (CRA) and other government websites. As an experience, it was okay – the CRA’s login system is better than that of most federal government departments (and there are almost 60 separate login systems, at least!).
Last year the CRA added two-factor authentication by text message or phone call, after a series of cyberattacks, but their login system still doesn’t support authenticator apps which are a lot more robust. And if you’re using your own device, you can ask it to remember you for a maximum of eight hours which I can only guess came from a horribly outdated ITSG-33 recommendation somewhere. That’s the high bar for Government of Canada login systems, and it’s not much. The 60 or so other login systems are older, less secure, and less user-friendly.
Fortunately – and colleagues at TBS and other government departments were really happy to see this – there’s a specific commitment to improve this in the most recent mandate letter for the President of the Treasury Board:
“Working towards a common and secure approach for a trusted digital identity platform to support seamless service delivery to Canadians across the country.”
Digital identity is hard. It’s particularly hard for countries like Canada, the United States, and the United Kingdom that don’t have national citizen identity cards (which are in use in most countries around the world). Even the term “digital identity” (or digital ID) can often mean more than one thing at once:
- Authentication, or sign-on (securely logging in with, for example, the same username and password you used last time)
- Identity verification (confirming that you’re really the real “you”)
- Authorization (providing you with access to specific services, or not, depending on who you are)
On top of that, different services and websites have different expectations in terms of the sensitivity of the information you can access online, or the activities you can do (often called “levels of assurance”). For example, ordering a national park pass online isn’t as sensitive as applying for a passport.
The experience of other countries is a helpful guide as Canada starts to prioritize digital ID work. In the United Kingdom, the Government Digital Service is working on their second attempt at a sign-on service (their first, which focused heavily on identity verification, floundered without seeing a high level of public uptake). The United States focused specifically on authentication with their open source login.gov service, which I’d consider the best role model out there. (Login.gov added an identity verification option several years after launching, which is a really smart approach.)
Much like the US’s approach with login.gov, and the UK’s new second attempt, I think we should park identity verification and leave it as a future problem to solve, once we have a modern, user-friendly authentication system up and running. And, widely adopted by federal departments. With digital ID as a mandate letter priority, here’s my own small hopes for what I’d like to see here in Canada.
1. I want to log in directly through a government system
In 2012, the Government of Canada and a third-party service provider launched an external sign-in service, following a competitive procurement. If you sign in to the CRA (or other government websites) via your bank account login, you’ve used the service.
It’s secure, it’s reasonably convenient. I don’t like it. If my bank’s website is down, or my bank account gets compromised or suspended, I don’t want that to stop me from accessing government services. Even more so, logging in through banking companies adds an uncomfortable dependency on corporate providers as the “front door” to accessing critical public services. Not to mention: there are a lot of federal government services (particularly for immigration and visa applications, but also national parks and other use-cases) that people outside of Canada need to be able to access. If a Canadian bank account is the most prominent login option for government websites, that’s a recipe for a lot of confusion. It’s also an important equity issue, given that almost a million Canadians don’t have access to bank accounts. People in vulnerable situations often face the most government bureaucracy, and we should work to remove barriers wherever we can.
For all these reasons: I want the future, default option to be a regular login directly through a government website, similar to the US’s login.gov.
I can’t help but wonder if there was any design research done when the external sign-in procurement was done. I doubt it. Today, the external sign-in service contract and the contract to run the government’s regular, internal sign-in systems are with two companies that are now both owned by Interac (the debit card processor), which makes me worry about long-term vendor lock-in.
2. I want it to be fast
This goes without saying, but the future digital ID service should be lightweight and really fast. It can take two or three minutes (or more!) to go through all the steps of logging in through the government’s current login systems, with a series of “Please wait…” screens along the way.
Think about how long it takes you to log in to your Google or Microsoft account: a few seconds at most. That’s the speed we should be aiming for, if we want people to have a good experience using the service. Logging in is just a necessary, slightly painful step along the way to what the person logging in actually wants to do; it should slow them down as little as possible. Modern, scalable cloud infrastructure makes it possible to do that even when millions of people might be logging in at once (hello, April tax season!).
Signing up for a brand-new login, the very first time, should also be fast. Working in government tech, you hear a lot of anecdotes from people who got halfway through signing up for an account (for any of the government’s many services and login systems), and after ten minutes of struggling, gave up and called the call centre instead. There’s a lot we could improve.
3. I want it to work across government services without re-signing in
The 60 or so separate logins currently used by Government of Canada departments is a clear organizational failure. It’s also an added level of frustration to users, who might have to sign into different government websites several times in the same day.
If I’ve logged into one government department using the future digital ID service, I’d like to already be logged in to any other government department and service I visit. That means moving to one centralized digital ID service (the one exception to my usual skepticism of standardization), implemented in a way that maintains a persistent login state. If you’re logged into your Gmail account, you don’t have to log in again to access Google Docs or your Google Calendar. Government services should be just as straightforward.
The CRA and ESDC briefly had a login “bridge” that let you access your account on the other department’s secure website after logging into the first; it’s not currently available but it was a useful proof of concept. In the long run, I’d like to see a centralized, government-wide equivalent of accounts.google.com (or the equivalents from other platform providers) – a home for my security and login settings, my connected apps and services, and a quick way of jumping to the various government services I regularly use.
Google and its peers also have a smart approach to “re-authentication”. You’re essentially signed in all the time, without needing a “remember me” checkbox or having a painfully short several-hour timeout, but if you go to change your account settings, or view your saved passwords, or some other more sensitive function, you’re asked to re-sign in again first as a safety measure. Unusual activity (like suddenly accessing your account from a network on the other side of the world) might trigger a similar re-authentication process.
Using that kind of approach, I want my login state to last for days (or weeks, or months!) on my personal device, not just a few hours. If it works for Gmail (and don’t forget, people buy houses via email and DocuSign), with all the fraud detection and cybersecurity protections they have, we can make it work for government websites too.
4. I want it to work with my authenticator app
Two-factor authentication via text messages (SMS) or phone calls is better than nothing, but there are a lot of reported cases of people fraudulently transferring other people’s phone numbers to new SIM cards to bypass this protection.
A more secure approach is two-factor authentication via an authenticator app (like Google Authenticator, LastPass Authenticator, or similar apps). Once set up, these can’t be compromised the same way that text message or phone call authentication can be. Security experts actually recommend turning off text message-based two-factor authentication once you have an authenticator app set up and configured.
The highest gold standard is hardware-backed two-factor authentication, using physical tokens like Yubikeys. I’d like to see the federal government’s future digital ID service support both authenticator apps and hardware tokens, as well as provide an option to turn off text message-based authentication.
That said, with any form of two-factor authentication – including the text message and phone call authentication used today – we need to think really carefully about who might be accidentally excluded, and how to make sure they can still easily access government services:
Recently, an acquaintance in tech asked me what, in my experience as a public librarian, makes websites and apps unusable to people with limited technology access, and after a few days thinking about it, I’m gotta put one of the biggest ones as two-factor authentication.
— Aydin Kwan (@heyakwan) November 29, 2021
5. I want to log in to provincial services through a federal ID, not the other way around
Over the past five or ten years, there have been a few efforts to let you log in to Government of Canada websites using your provincial login accounts. The CRA and ESDC both let you log in nowadays with your British Columbia services card or Alberta digital ID. As other provinces and territories roll out digital ID systems, these might also become available.
I’d like to see the exact opposite happen: I’d like to have one Government of Canada digital ID, and I’d like to be able to use it to access provincial or territorial websites and services. Why? People move around. People move across Canada for work, for education, for families and partners’ job and life opportunities. People moving around helps keep the Canadian economy going, as job opportunities open up in one part of the country or another. Anything that governments can do to facilitate moving from one province or territory to another is valuable, if for no other reason than to reduce unemployment and boost the economy.
As my friend Nisa and I joked back in grad school: you end up with a student card from one university/province; a health card from another (still valid when you’re a post-secondary student!); a drivers’ license from the province before that; and your birth certificate, social insurance card, and other paperwork somewhere back home with your family.
Having your canonical digital ID exist at the provincial level makes all of that incredibly cumbersome. It’s more user-friendly, instead, to have it exist at the widest-possible organizational level – in Canada’s case, at the federal level. Similarly if I lived in Europe, I’d want a digital ID at the European Union level. If I moved from, say, Finland to Sweden, I wouldn’t want to have to restart from scratch with a new digital ID. (For full disclosure: I’m a federal public servant, so maybe of course I’d argue for this…!)
Making this happen depends on building a reliable, interoperable digital ID at the federal level (and having it work well!), then having provinces and territories adopt it as a login option for provincial and territorial services. That depends on a level of federal-provincial/territorial collaboration that seems to always be incredibly messy. Provinces and territories also hold the vital statistics information for most Canadians, adding another layer of organizational complexity.
Still: as someone who grew up in Saskatchewan, went to grad school in Ontario, worked overseas for a few years and now lives in the Yukon… we can always hope!
Where are we at today?
Digital ID at the federal level is in some ways a good representation of our overall challenges with technology. We have a hodgepodge of 60-some separate login systems that mostly work, most of the time, but are slow and unfriendly to users. We have a lot of documentation: the 43-page User authentication guidance for information technology systems, published in 2018; the 30-page Guideline on Defining Authentication Requirements, published in 2012; the 45-page Guideline on Identity Assurance, published in 2016; and the 4-page Directive on Identity Management (and accompanying 4-page Standard on Identity and Credential Assurance) updated in 2019.
Beyond all of these, there’s the Pan-Canadian Trust Framework (PCTF), shepherded by a group of industry and government stakeholders and designed to promote interoperable digital ID solutions from multiple providers. The PCTF has been in the works for more than a decade; a friend in the public service worked on it thoughtfully for years. Ultimately, though, I think it’s a good reminder that careful planning will only get us so far, without the implementation capacity that the public service has historically been lacking. To which some might say: let’s leave digital ID fully to the private sector. I disagree; that’s a recipe for vendor lock-in and corporate capture, and a corresponding loss of public trust in government institutions. Bianca Wylie’s piece last October on digital ID (in the context of the Government of Ontario’s provincial consultations) is an excellent read that addresses this issue directly.
In the decade that we spent planning and writing documents, the United States built and launched login.gov; the United Kingdom built, abandoned, and built another sign-in system (the latter admittedly still a work in progress). We could learn from their experiences: start small, with just authentication (not identity verification), and use open source software libraries that are already available and battle-tested. We could adopt the open source code for login.gov, repackage it, and deploy it on cloud infrastructure very quickly compared to building something from scratch. (It’s already available in both English and French!) The more challenging part, of course, is updating each web application and IT system across departments to work with it, one at a time. That’s something where login.gov provides a great role model, too: the developer documentation on how to connect other systems to it is publicly-available and second to none.
Lastly: under our current approach, both the internal login and external sign-in systems are operated by external service providers and managed by SSC. SSC charges cost-recovery fees to departments that, from what I’ve heard anecdotally, are hard for departments to predict and plan for. Any future digital ID system, if we want departments to adopt it (which we should!) should be funded centrally and free for departments to use. Incentives matter; it has to be easier and cheaper to use the centralized future digital ID service than to run a small login system for each departmental application. And, once it’s up and running, it should be free for provinces and territories to leverage too.
That’s what I’d like to see: a modern, secure, and easy to use federal digital ID system. I don’t want to log in through my bank or insurance company. I don’t want to have to sign-in over and over again for each department, or over and over again later the same week. I do want the system to work with my authenticator app. And I want to log in to provincial services through a federal ID, not the other way around.
And no, I don’t want it to use blockchain. Come on, people. 😜
Michael Karlin’s follow-up piece – The long road of digital identity – is a must-read, as is Tim Bouma’s What is Digital Identity?. As always, I’d love to hear your thoughts and reactions!