Tuesday, November 2, 2010

AUSkey: Australian Government’s attempt at SSO

The Australian Government’s Standard Business Reporting program is attempting to roll out single-sign (SSO) on across all Federal government departments and some state government departments.

You know that problem of having too many different usernames and passwords to remember? Single sign-on is the solution to that. The concept behind SSO is that a user should only have one credential to access multiple services from the same entity. AUSkey is the Australian Government’s attempt at SSO.

Using an AUSkey is simple enough. When a user attempts to access a participating government e-service (i.e. the ATO Business Portal), they are prompted to select an AUSkey (digital certificate).

auskey

After selecting a digital certificate, you are prompted for a password.

auskey1

After entering the password and clicking continue, the user is directed to the resource on the participating site.

For reasons unknown, SBR have chosen to use a Java applet to provide the authentication dialog. This Java applet must be installed on each device used to access AUSkey-authenticated systems.

Because an AUSkey might not always have the ability to install the AUSkey client (i.e. corporate environments), there is a ‘install to a USB’ capability. This installs a standalone/portable Firefox browser to a USB drive and preinstalls the AUSkey certificate (the AUSkey browser.exe file is visible but the AUSkey and AUSkey software for USB folders are hidden).

auskey2

The Firefox browser is ATO branded and returns the user string
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (AUSkey Mobile Access)

auskey3

My observations so far:

  • The sign-up process is overly complex. True to government form, there are too many unintuitive forms to fill out. People are familiar with the sign up/e-mail confirmation/login concept. AUSkey needs to be as easy to use as Microsoft Windows Live ID for for people to be enthusiastic about it.
  • The AUSkey installer is just as convoluted. The Nullsoft MSI installer crashed upon first run, and appeared to stall repeatedly during the installation.
  • AUSkeys aren’t portable. For an unknown reason, my desktop browser could not find the certificate installed on my USB key. I had to signup for an additional AUSkey.
  • You should be able to use AUSkey without an installer. AUSkey uses Java-based browser plug-ins for the certificate selection. There are methods of requesting client certificates that don’t require Java applets. This is especially important since Microsoft doesn’t include it with Windows 7. and Apple is unlikely to bundle Java with their next MacOS release.
  • Lack of browser support. The AUSkey software does not support Google Chrome or Internet Explorer 9 beta (yes, I know it’s beta! But one of the reasons Microsoft release beta products is to ensure day-one compatibility when the RTM version is released)
  • Lack of multiplatform support. If you’re using Windows or MacOS X, you’re in luck. Linux, iPad, iPhone, Windows Phone 7, Telstra tablet? Sorry guys. I get the feeling SBR developed the user requirements five years ago and haven’t updated them since.
  • Business users only. I’d like to use this on other government websites like Medicare Online. It’s silly that the authentication used to access my medical records is weaker than my tax records. I guess that shows who values IT more.
  • Low amount of participating sites. I thought ASIC would be a number one citizen with AUSkey. If ASIC don’t support AUSkey, I have very little hope for the Department of Fair Trading NSW.
  • The government is competing with…itself. According to the AUSkey website, “You'll no longer need different user IDs and passwords for each government agency that you have to deal with - the one AUSkey will work for all!”. According to the Australia.gov.au website, “Dealing with the Australian Government online just got easier, with a single [Australia.gov.au] account to sign on to multiple agencies”. Perhaps the government are trying a two-prong strategy: AUSkey for business and australia.gov.au ID for citizens? If so, what a waste of infrastructure!

AUSkey is promising but has a lot of progress to make. It will become a more compelling offering when more government online services support it. Until then, I’ll use it once a quarter to authenticate with the ATO for online activity statement submission.