The title is a quote from a talk on OpenID Connect and OAuth2 given by Dominick Baier (@leastprivilege) at Norwegian Developer Conference 2014 which I had the pleasure of attending.
The slide above really piqued my interest, as it summed up nicely the concerns I’ve had regarding how we should approach OpenID Connect with regards to Swedish electronic citizen identification. The longer it takes for us to get the SAML2-based pilot, which is currently idling empty, into full-fledged production the shorter its effective window (which closes at the point where we migrate to OpenID Connect) becomes.
In other words, every additional day’s delay reduces the payback period on the investment into SAML2 infrastructure. The transition to OpenID Connect is inevitable, in my view, and this needs to be taken into account when budgeting for Swedish e-ID services. The salient point then, as I see it, is not if OpenID Connect will happen but when.
My main reason for concern is probably that I think this needs to happen sooner rather than later, given that OpenID Connect handles use cases like logging into mobile apps much better than SAML2 does. In the SAML2 case, or rather in the case of the profile of SAML2 selected for Swedish e-ID, it is assumed that all communication with on-line services is performed using a web browser, which can be re-directed back and forth between the on-line service and an authentication service in order to handle the actual login.
In addition to the profile described above, OpenID Connect also includes profiles specifically developed for native applications and mobile apps. These dedicated profiles help improve both user experience and security in that the app no longer has to employ a web browser in order to handle login.
If we take a quick look at Swedish government agencies like the Pensions Agency (Pensionsmyndigheten), the Social Insurance Agency (Försäkringskassan) and the Tax Agency (Skatteverket), we can see that they all offer apps, providing Swedish citizens convenient access on the go or from the couch, and this switch to mobile is probably only just getting started.
One thing these apps all have in common is that they don’t support authentication using Swedish e-IDs. They only support authentication using Mobile BankID. The reason for this is pretty straightforward: BankID are alone among the current crop of e-ID suppliers in that they have launched a mobile authentication solution. This solution consists of what they call a “security app” that handles e-ID authentication on behalf of other apps. OpenID Connect refers to this kind of “security app” as an “authorization agent”, even though the actual implementation details differ.
SAML2, as well as the SAML2-based Swedish e-ID pilot, does not provide anything equivalent to the “security app” or “authorization agent”, meaning every app is left to handle authentication for itself by opening up a web browser and pointing it at the authentication service. As mentioned above this will impact both user experience and by extension security as well. BankID saw this as a serious enough shortcoming to choose not to join the new Swedish e-ID pilot, and they represent an estimated 95% of the Swedish e-ID market on their own, even though there were additional reasons behind this decision as well.
If you were to launch such a SAML2-based system against Mobile BankID, which is not only already well established in the market but also already adapted to an increasingly mobile society, chances are you would effectively be consigning yourself to playing no more than a marginal part. By choosing a more modern, mobile-ready approach based on OpenID Connect instead you would at least be allowing other suppliers the chance to compete with Mobile BankID on equal technical terms. This in itself is of course no guarantee of increased competition, but we would at least have removed the technical obstacles that have led to the situation we find ourselves in today, where public sector apps are only able to allow authentication using Mobile BankID as opposed to the full spectrum of Swedish e-IDs.
The image above shows the growth in transactions per month for the BankID authentication solution, broken down by type of e-ID. The two blue lines represent smart card-based BankIDs and soft token-based BankIDs respectively, while the red line represents Mobile BankIDs. No unit is given for the y axis, but the total number of transactions for the year is estimated at about 500 million earlier in the presentation (the presentation in question being the official May 2014 statistics for BankID.)
As mentioned earlier, BankID currently represent approximately 95% of the Swedish e-ID market, so their numbers should give us a very good idea about the market as a whole, and we can clearly see that while the demand for smart card- and soft token-based authentication transactions has remained more or less stable for the past two years, the demand for mobile authentication transactions has increased exponentially.
This is not a development we can afford to turn a blind eye to, and I hold it as self-evident that the main focus for Swedish eID needs to be on mobile. At present I can see no better option than to switch from SAML2 to OpenID Connect.