Outside firms to help with online ID checks
Officials at the General Services Administration are building a system to check the identities of users doing business with agencies online, and they plan to rely on outside organizations to generate users' digital credentials.
GSA's e-Authentication system will enable users to access agency networks using a Web browser, which will contain their digital identities, said David Temoshok, director of identity policy and management at GSA. The verification system will be flexible enough to potentially let millions of Americans, businesses and government entities gain access to protected federal networks and information systems, he said.
Rather than require users to have federally issued digital credentials, the government will accept credentials issued by organizations it trusts such as banks, colleges or security firms. That trust will be built on commonly agreed-upon business rules, policies and technologies, Temoshok said.
Support for GSA's plan appears to be growing inside and outside the government.
"It's taking the level of security up a couple of notches," said John Hunt, a partner with PricewaterhouseCoopers, a management consulting company. "And it's going to save taxpayer money."
A Transportation Department official said the agency will be among the first to hook some transactional systems into the user-authentication infrastructure that GSA is building. The effort will be DOT's largest security project in fiscal 2005, said Lisa Schlosser, the department's associate chief information officer for information technology program management.
Last week, GSA officials released more details about the infrastructure and how it will be used. For example, it could help verify that citizens who apply online for federal loans or grants are who they claim to be.
Depending on the type of transaction, the public will present different credentials to prove their identities. Transactions requiring a high degree of security, such as applying for government benefits, will require stronger security credentials than gaining access to a password-protected federal Web site.
After passing an authentication test, citizens will be authorized, or not, to gain access to a particular agency network and information system.
GSA's e-Authentication service will not require a nationwide system of unique identifiers such as Social Security numbers or a central registry of personal information, Temoshok said. Instead, it will be based on what he called a federated identity management model, which depends on relationships of trust among the federal government, other governments and businesses that issue identity credentials.
Behind GSA officials' ambitious project is a federally run interoperability-testing lab to ensure the compatibility of commercial authentication products on which the service will depend. Agency officials will continue to operate the lab until industry leaders come together around a single standard for e-authentication or establish a similar interoperability testing facility, Temoshok said.
Using Web browsers for e-authentication is the only practical solution for 280 million U.S. citizens, he said. But for internal transactions among agencies and within agencies, GSA will follow the Defense Department's lead in adopting secure smart cards to verify federal employees' identities for both online access and physical access to government buildings.
The public is confident, for example, in financial institutions' ability to protect electronic information, which should translate well into public acceptance of the federated identity model, said Maurice McTigue, director of the Government Accountability Project at George Mason University's Mercatus Center.
"If GSA is a trader in there, instead of a rule maker," McTigue said, "it's going to keep its services very current."
He said GSA's plan reflects another broader government trend. "Governments are accepting that they have to move away from command-and-control approaches to an approach that looks for high standards...but does not try to control the situation all the time," he said.
GSA: In search of e-authentication partners
The General Services Administration has adopted a federated identity management model for its online user-authentication service. For the model to work, GSA officials must:
Create voluntary partnerships with other government, private-sector and nonprofit organizations.
Agree with the agency's partners on common policies and practices for using electronic credentials.
Develop a process for evaluating credentials.
Work with other nations' online identity systems.
Source: Electronic Authentication Partnership