back to article ContactPoint offers tokens for access

The Department for Children Schools and Families has begun to roll out the authentication process for access to the ContactPoint database. The first registration authority for the Employee Authentication Service (EAS) went live on 8 June 2009, beginning to issue tokens to a few hundred staff involved in the department's …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Boffin

    Cough, splutter

    "... but the DCSF has said the EAS provides a robust method of authentication which will protect the system from abuse."

    No it won't. It will mitigate the risk but it won't protect the system from abuse. How long before we hear of one of these one-time-password tokens being left, along with its PIN, in a taxi? Or before one person in a department is issued a token and has it routinely shared by all people in the department?

    I do hope that "John Skipper, design authority for the EAS," is not responsible for that gross over-statement of the EAS's capability.

    It's enough to make a cat spit.

  2. Greg

    DWP?

    WTF have they got to do with children?

  3. Clarissa

    I think I can safely predict that...

    a) a fair proportion of staff will write their PINs on the token (or have it in their wallet/purse next to it)

    b) at least one of the above will leave it somewhere where someone without access to Contact Point will be able to find it

  4. Tom Chiverton Silver badge
    Unhappy

    Users 'solution' to needing to always carry the token

    "generate a code on an LCD display which they can use one time for access to the database through an authorised computer"

    So the users won't blue tack the token to their 'authorised computer' along with PIN etc., thus allowing anyone passing by access ?

  5. Hayden Clark Silver badge
    Unhappy

    Token, sticky label...

    ... PIN written on sticky label.....

    Taxi/train/bus.

    These people have no clue.

  6. Cameron Colley

    RE: Tokens, labels and blu-tack.

    Even better than that -- I bet the system they use allows for "temporary passwords" used when the token is "mislaid" and that a significant number of people will end up with such passwords.

  7. Anonymous Coward
    Thumb Down

    @Greg - re:DWP?

    I would cynically think that its due to the fact that all children will be held on there until working age so its a good register of everyone that can work...

  8. Colin Miller

    @Greg

    Is the the DWP or HMRC that are responsible for Child Tax credits?

  9. Anonymous Coward
    Anonymous Coward

    Specifics

    Suppose we have a child, lets call that child 'P".

    Can we have a list of the names of all the people that can access 'P''s records? Would that list be 10 names long (e.g. 'P's teacher, headmaster, social worker, doctor....) or would it be 100 names long (e.g. every teacher, every headmaster, every social worker) or 1000 names long (I see they're including police and charities and civil service unconnected with children and plastic police and local government and pretty much anyone dressed in a high visibility jacket)?

    Or are we talking about anyone among 300,000 plus people ultimately can dig into 'P's details?

    Also I see the rozzers have their own child database 'Merlin' which doesn't have these controls on it. Can the rozzers fill their own database with data taken from Contact Point?

    Also I notice that MPs think their own children are not on the database. When I reckon they are on that database, just that those records are shielded from some of the roles. So how many thousands of people in which roles can see the data on children of MPs?

    Seems to me, they are talking in general terms about logging in to the database with tokens, and general stuff about background checks, which is a sure sign of major design flaws. As the saying goes, the devil is in the detail.

This topic is closed for new posts.