The Department for Children Schools and Families has begun to roll out the authentication process for access to the ContactPoint database. The first registration authority for the Employee Authentication Service (EAS) went live on 8 June 2009, beginning to issue tokens to a few hundred staff involved in the department's extranet …
"... but the DCSF has said the EAS provides a robust method of authentication which will protect the system from abuse."
No it won't. It will mitigate the risk but it won't protect the system from abuse. How long before we hear of one of these one-time-password tokens being left, along with its PIN, in a taxi? Or before one person in a department is issued a token and has it routinely shared by all people in the department?
I do hope that "John Skipper, design authority for the EAS," is not responsible for that gross over-statement of the EAS's capability.
It's enough to make a cat spit.
WTF have they got to do with children?
I think I can safely predict that...
a) a fair proportion of staff will write their PINs on the token (or have it in their wallet/purse next to it)
b) at least one of the above will leave it somewhere where someone without access to Contact Point will be able to find it
Users 'solution' to needing to always carry the token
"generate a code on an LCD display which they can use one time for access to the database through an authorised computer"
So the users won't blue tack the token to their 'authorised computer' along with PIN etc., thus allowing anyone passing by access ?
Token, sticky label...
... PIN written on sticky label.....
These people have no clue.
RE: Tokens, labels and blu-tack.
Even better than that -- I bet the system they use allows for "temporary passwords" used when the token is "mislaid" and that a significant number of people will end up with such passwords.
@Greg - re:DWP?
I would cynically think that its due to the fact that all children will be held on there until working age so its a good register of everyone that can work...
Is the the DWP or HMRC that are responsible for Child Tax credits?
Suppose we have a child, lets call that child 'P".
Can we have a list of the names of all the people that can access 'P''s records? Would that list be 10 names long (e.g. 'P's teacher, headmaster, social worker, doctor....) or would it be 100 names long (e.g. every teacher, every headmaster, every social worker) or 1000 names long (I see they're including police and charities and civil service unconnected with children and plastic police and local government and pretty much anyone dressed in a high visibility jacket)?
Or are we talking about anyone among 300,000 plus people ultimately can dig into 'P's details?
Also I see the rozzers have their own child database 'Merlin' which doesn't have these controls on it. Can the rozzers fill their own database with data taken from Contact Point?
Also I notice that MPs think their own children are not on the database. When I reckon they are on that database, just that those records are shielded from some of the roles. So how many thousands of people in which roles can see the data on children of MPs?
Seems to me, they are talking in general terms about logging in to the database with tokens, and general stuff about background checks, which is a sure sign of major design flaws. As the saying goes, the devil is in the detail.