Queensland has built a federated identity blueprint

The Queensland government has created a blueprint for whole-of-government federated identity that it hopes will eventually span both the public and private sectors, in an effort to transform service delivery.

The state's chief information office (QGCIO) has put together a bundle of documents intended to guide Queensland agencies in their implementation of "trusted identity management practices" for the sharing of assured identities.

It is seeking to encourage a federated model of authentication for identity, whereby an individual known to one body can be authenticated by another to whom access is being sought by the individual.

"Identity is the starting point of trust and confidence in interactions between the public and government; it is a critical enabler of service delivery, security, privacy and public safety activities; and it is at the heart of the public administration and most government business processes," the QGCIO wrote in its overview.

"In recent years, the need for portable and trusted identities has never been stronger.

"The methods of proving our identity remain locked in a traditional physical mode, based upon paper or plastic documents. This reliance on traditional modes of identification and authentication is becoming a significant barrier to innovation."

The blueprint contains a set of common principles; use cases; information, process, and functional models; architectural patterns, options, and practices; and standards and protocols for interoperability.

It categorises identities into four types: individuals, organisations, devices, and resources.

The QGCIO is hoping that the blueprint will help agencies better assess and integrate identity risk into their overal risk management practices - and therefore manage identity as they would other business risks.

It could also create an environment where identity and credentials can be relied on by a range of departmental, jurisdictional and industry participants.

"Queensland government’s vision for an identity ecosystem is a federation of organisations across public jurisdictions and private sector delivery partners who trust each other’s assurances of identity," the QGCIO said.

"This includes government agencies, other jurisdictions, non-government organisations, hospitals, schools, and digital customer identity providers and possibly in the future, financial or telecommunications institutions."

It could also bring in social media providers like Google and Facebook - the QGCIO said it could make more sense to let users bring their own identity, like social media credentials, where only a low level of identity assurance is sufficient.

The office did however note that there were limited scenarios in which this approach would be appropriate.

"To date, there has not been a market for freely available and easy-to-use high-assurance credentials."

The QGCIO said the ability to share and trust identity information across this broad ecosystem was key to "seamless" service delivery across the entire state.

Customers will also get greater choice in which credentials and identities they want to use when accessing government and private sector services, it said.

"Customers are generally seeking a consistent experience across services, without the need to provide personal information repeatedly and have more choice in terms of what information they reveal to whom and when."

Service delivery costs for organisations involved in the federated identity ecosystem should also go down as a result of more transparency, it said.

The federated identity blueprint leaves technology choice to agencies in terms of the underlying infrastructure for identity solutions, thereby avoiding some of the risk of centralised storage.

Several Queensland government agencies currently use the state's QGov identity broker service to authenticate a customer, via their digital profile established with a particular agency. QGov also interacts with the federal document verification service (DVS).

The QGCIO said QGov was a good example of a customer-controlled model that allowed individuals to manage how their data is shared.

The blueprint was approved by the QGCIO's director of strategy, policy and governance last month after a year of consultation and revisions.