Main menu

User Rating: 4 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Inactive

Looks like the CRA is rolling out a new login option (began early November 2012) to access the CRA "My Account website".  You still have the option of using your old CRA login - however, if you're anything like me, you've probably forgotten the Login-ID, which of course, you can't retrieve. But - Not to freat, you have the option of creating (yet) another new account, and now, you won't have to remember your login!

CRA is working with Canadian banks on a service called: "SecureKey Concierge" ( ). 

"SecureKey Concierge offers a convenient way to sign in to Government of Canada services. Instead of remembering yet another username and password that you rarely ever use, you can choose to sign in with a brand that you know, and use, regularly… such as your favourite Financial Institution, Bank or Credit Card."

I'd like to say - what could possibly go wrong and leave it at that, but, that isn't going to happen. Let's explore the option. 

 As of this writing (March 6, 2013) you are presented with 4 options to sign in:

  • BMO Credit Card (I assume your Mastercard)
  • BMO Debit Card
  • Scotiabank Online Banking
  • TD Canada Trust Easyweb

When selecting one of the options, you're presented with a login page at the bank of your choice. Since I already logged into my bank from the machine, my Debit Card information was already saved. (Yes, I'm lazy - sue me). Following along on your normal path of login, just like when you login to your bank you are given the opportunity to enter your password and/or other details asked. In my case, it also provides me with the passmark phrase and image so I "know" it's really the bank I'm connecting to.

Once you've entered your password, you are again redirected to the original site, in my case, the CRA website, where it continues to validate who you are by asking the same information that would have been asked if you were creating a regular account.

At this point, I'm stalled in the investigation - I need to wait for a security code to be sent to me in order to continue with the registration process. But, each time I login, it remembers where I was, and promptly asks me for the security key. As such, I can assume that future visits to the site have no additional authentication method. 

So what could go wrong? I mean, it's easier for the Canadian people right? Just use the same login as your bank! -- But wait -- Your bank... login.. 

Lets start with the obvious - Phishing

Given that there are a large number of phishing websites and emails that constantly barrage  users on a daily basis, I expect this new function to only cause an increase on the number of such attempts. No longer do we need to be worried about our bank accounts and the possibility of losing all our money, but they could access any Canadian Government website we've previously logged into. I believe the phrase is Awesomesauce

But wait -- There's MORE.

A while back there was some comments around the storage of banking passwords. (If you can find some references, that would be great). At the time, it was identified that banks typicly store your online passwords so that they could be compatible with aged telephone based applications. In other words - Convert the password into numbers. 

ie; password would become 72779673, and secure45 would be 73787345. Meaning, you've gone from [A-Za-z0-9] to [0-9] as possible options. Not only that, but one could take a numeric password and convert it into letters too - so a password of 1234567890 could be entered as 1bfikmrvz0 -- This still hold true for some banks. 

Now, we trust the bank with online access to our online accounts - but we have the option to also trust them with our Government accounts as well, with increadibly WEAK password storage methods. 

 The question is - so what? Well, besides the obvious that it's just wrong, here's a few ideas on what can happen inside the CRA portal ( Details ):

  • You can start, update or stop direct deposit
  • Account balance and statement of account
  • View Returns
    • Includes your date of birth
    • Province of residence
    • Income
  • Children in care
Among other items, and that's just the CRA site. Other sites that you can access with the SecureKey concierge includes ( Details ): 
  • Canada Border Services Agency
    • The eManifest Portal is a secure data transmission option developed by the Canada Border Services Agency (CBSA) that allows the trade community to electronically transmit their pre-arrival information through the Internet.
  • Canadian Nuclear Saftey Commission 
  • Citizenship and Immigration Canada
    • You need a MyCIC account only if you are submitting an online application.
  • CRTC
  • Health Canada
    • The Secure Web Portal provides a single point of access to view and update your information.
  • RCMP
    • To access the RCMP Applications online, you need a login credential
And others. You can do your own research on what details you can access from those sites. 

 And just for good measure, some details from the FAQ's posted on the sites:


What is a “credential”?
“Credentials”  in information systems are widely used to control an
 individual’s access to  information or services. The combination of a 
card number or user name and a  password is a widely-used example of a 
credential. The Government of Canada  uses electronic credentials  to 
allow users to communicate securely with online-enabled Government of 
Canada  services.
What do you mean by authentication?
It is a secure means to recognize a  user when accessing 
government services online. The user remains anonymous, and  the 
authentication process just confirms that the credential is valid and is
 in  the hands of the owner of the credential. Credential authentication
 does not reveal  or confirm identity to the government website. It 
receives only a message  confirming that your credential 
(username/password) was successfully validated  by your bank or by the 
Why is the Government of Canada offering users a choice of credentials? 
By offering a choice of credentials, the Government  of Canada 
is making its online services more convenient and easier to use. Many  
individuals already use their online banking credentials regularly. 
Being able  to use these same credentials to access Government of Canada
 services online  will simply mean one less User ID and password to 
Are the Commercial Credentials as secure as the Government Credential?
Whether one  chooses to use the commercial credential service (SecureKey Concierge)
 or the government-issued  credential service, be assured that your 
transaction will be safe and  secure.  The authentication process does  
not carry any personally identifiable information such as name, birth 
date etc.  and relies on strong technology, built using industry best 
practices. The  Government of Canada is leveraging these investments 
made by financial  institutions for secure online environments. 
Is any of my banking information shared if I use SecureKey Concierge?
When you use  either your government credential or your online 
banking credential, none of  the personally identifiable information 
related to your credential is communicated to the government service you
 are trying to  access.  For users of SecureKey Concierge, the 
identity of the financial institution will not be  shared with the 
Government of Canada. Similarly, no information about the  government 
service being accessed by the user will be shared with the user's  bank.

 See also:

Finally, an Introduction to SecureKey Concierge video.