Identity Management

We're the government. Trust us.

Image from Shutterstock.com

The Federal Housing Administration works with lenders to insure more than $1 trillion in mortgage loans. The Department of Homeland Security shares vital information with thousands of partners at the international, federal, state, local, territorial and tribal levels, as well as in the private sector. And the Social Security Administration provides benefits to nearly 64 million Americans.

Each of them -- along with dozens of other agencies -- is wrestling with the challenges of verifying identities online.

"We have been driven by our customers to provide more services online," said Don Behler, SSA's director of identity, credential and access management. "The more services we make available, the riskier those services become."

An online registration for benefits, for example, is relatively low risk, he said. Allowing beneficiaries to change their direct-deposit information online, on the other hand, requires significantly stronger "identity proofing."

Helen Schmitz, enterprise architect in DHS' Office of the CIO, described similar challenges at her department. When the Homeland Security Information Network (HSIN) was upgraded, some 17,000 users had to be re-verified. There was pushback, she said, "because the users didn't understand why we were putting them through this pain."

Agencies are making progress toward workable systems, but the government faces hurdles beyond those in the private sector, agreed Schmitz, Behler and several other identity management experts who took part in an Aug. 12 FCW conference titled "Identity Proofing Essentials for Government Operations" in Washington.

As Peter Alterman, a former senior adviser to the National Institute of Standards and Technology who is now chief operating officer at the SAFE-BioPharma Association, put it: "How do you deal with the inevitable anxieties about the government having your information?"

That "Big Brother" fear was a key reason that the Obama administration's 2011 National Strategy for Trusted Identities in Cyberspace called for private-sector proofing systems that could be used to gain access to government systems and services. Today, the Federal Cloud Credential Exchange (FCCX) is gearing up to enable agencies to do just that via a shared cloud service.

Douglas Glair, the U.S. Postal Service's manager of digital identity services, said FCCX, "technology-wise, is live today" with the Department of Veterans Affairs and a handful of other agencies running pilot projects. USPS is the technology service provider for FCCX.

The exchange is not validating the identities, Glair explained. Instead, "the partners and providers are the ones actually doing the identity proofing and verification."

"What the citizen is doing is selecting...which one they want to use to log in," he said. That approach also brings the added benefit of letting people rely on credentials they already use regularly -- to access online banking, for example -- instead of creating and verifying an agency-specific login they might need once a year or even less often.

"We want something that is embedded in our daily lives instead of something that we hate doing," Glair said.

The irony, of course, is that private-sector firms have far more information on individuals than agencies do. Alterman recounted one data aggregator telling him that leading companies have tens of thousands of "data points about us in their repositories."

Pick your proofing level

The National Institute of Standards and Technology has defined technical requirements for four levels of assurance for individuals' identities online. Most public-facing applications today are Level 2, though agencies are increasingly offering two-factor authentication.

Level 1

  • Confidence: Little or none; identity usually self-asserted.
  • Example: Self-registration websites, such as news and social media sites.
  • Identity proofing requirements: None.
  • Token (secrecy) requirements: Any type of token, including a personal identification number.
Level 2
  • Confidence: Some confidence that the asserted identity is accurate.
  • Example: Changing the address in an account beneficiary's record.
  • Identity proofing requirements: Requires some identity proofing.
  • Token (secrecy) requirements: Single-factor remote authentication, typically a password.
Level 3
  • Confidence: High.
  • Example: Access to an online benefits or brokerage account.
  • Identity proofing requirements: Stringent.
  • Token (secrecy) requirements: Multifactor authentication, typically a password or biometric factor used in combination with user possession of a software token (stored in a Web browser, for example), a hardware token (such as a smart card or key fob) or a one-time password device token.
Level 4
  • Confidence: Very high.
  • Example: Access to government buildings and networks via agency-issued smart cards, such as Common Access Cards.
  • Identity proofing requirements: In-person registration.
  • Token (secrecy) requirements: Multifactor authentication that must include a hardware token with cryptography.
Sources: NIST, Office of Management and Budget

"The government is really not the holder of knowledge and information about us and what we do," he added.

Nonetheless, Schmitz said, "there is the perception that the government is Big Brother, and we had to carefully avoid that perception."

And sometimes, contracting with private-sector vendors can add to that suspicion, Behler said. Best practices for identity proofing call for using a wide variety of "out of wallet" data points -- predefined knowledge-based questions that could range from a favorite sports team to the name of one's first college roommate. But SSA quickly learned that "it was extremely creepy to citizens to think that the government knew who you lived with 10 years ago," Behler said.

"One of the ways we get over those concerns is that we make very clear what we're doing," he said. "We do not keep the information that comes from that out-of-wallet data provider. And folks are becoming more educated. They have more concerns about [their online] security."

Brenda Boldridge, an FHA program support officer, agreed that communication is the key. Although lenders generally understood the privacy issues and the need to guard against fraud, "there was some pushback on the need to purchase new software in order to interact with us," she said. But "the more you can educate and provide information on what you're doing and the benefits to them...you'll end up with a better outcome."

At DHS, Schmitz said, other steps were being taken to reassure wary HSIN users. Her department has offered training on "why we needed cybersecurity," she said. "When we explained about phishing and how easy it is to spoof email...they got it." And for the truly reluctant users, HSIN offers in-person proofing, where an individual can use hard-copy proof of identification to secure their online credentials. Fewer than 5 percent of HSIN users have opted for the manual process, Schmitz said.

USPS also plans to provide in-person verification, Glair said. Indeed, the agency's physical presence nationwide is one reason USPS was given such a central FCCX role. "This is all about choice for the citizen," he added.

Yet for all the choices, Alterman argued that the essential tension is always the same. When it comes to identity proofing, "the most usable is the least secure," he said. "The most secure is the most invasive. That's the game."

The fundamental question, he stressed, is "what do you actually, really need" to authenticate an individual online. "Once you know that, the question becomes how can you get that in the least invasive way, and how can you protect it in the most secure way."

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN. Connect with him on Twitter: @troyschneider.


The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Sun, Aug 24, 2014

"Nonetheless, Schmitz said, "there is the perception that the government is Big Brother, and we had to carefully avoid that perception."" That is a reality, not a perception. I would trust my private information to many private vendors above government. Government is full of incompetent people that don't care, or worse.

Thu, Aug 14, 2014

And so? Your point?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above