Identity Management

We're the government. Trust us.

Image from Shutterstock.com

The Federal Housing Administration works with lenders to insure more than $1 trillion in mortgage loans. The Department of Homeland Security shares vital information with thousands of partners at the international, federal, state, local, territorial and tribal levels, as well as in the private sector. And the Social Security Administration provides benefits to nearly 64 million Americans.

Each of them -- along with dozens of other agencies -- is wrestling with the challenges of verifying identities online.

"We have been driven by our customers to provide more services online," said Don Behler, SSA's director of identity, credential and access management. "The more services we make available, the riskier those services become."

An online registration for benefits, for example, is relatively low risk, he said. Allowing beneficiaries to change their direct-deposit information online, on the other hand, requires significantly stronger "identity proofing."

Helen Schmitz, enterprise architect in DHS' Office of the CIO, described similar challenges at her department. When the Homeland Security Information Network (HSIN) was upgraded, some 17,000 users had to be re-verified. There was pushback, she said, "because the users didn't understand why we were putting them through this pain."

Agencies are making progress toward workable systems, but the government faces hurdles beyond those in the private sector, agreed Schmitz, Behler and several other identity management experts who took part in an Aug. 12 FCW conference titled "Identity Proofing Essentials for Government Operations" in Washington.

As Peter Alterman, a former senior adviser to the National Institute of Standards and Technology who is now chief operating officer at the SAFE-BioPharma Association, put it: "How do you deal with the inevitable anxieties about the government having your information?"

That "Big Brother" fear was a key reason that the Obama administration's 2011 National Strategy for Trusted Identities in Cyberspace called for private-sector proofing systems that could be used to gain access to government systems and services. Today, the Federal Cloud Credential Exchange (FCCX) is gearing up to enable agencies to do just that via a shared cloud service.

Douglas Glair, the U.S. Postal Service's manager of digital identity services, said FCCX, "technology-wise, is live today" with the Department of Veterans Affairs and a handful of other agencies running pilot projects. USPS is the technology service provider for FCCX.

The exchange is not validating the identities, Glair explained. Instead, "the partners and providers are the ones actually doing the identity proofing and verification."

"What the citizen is doing is selecting...which one they want to use to log in," he said. That approach also brings the added benefit of letting people rely on credentials they already use regularly -- to access online banking, for example -- instead of creating and verifying an agency-specific login they might need once a year or even less often.

"We want something that is embedded in our daily lives instead of something that we hate doing," Glair said.

The irony, of course, is that private-sector firms have far more information on individuals than agencies do. Alterman recounted one data aggregator telling him that leading companies have tens of thousands of "data points about us in their repositories."

Pick your proofing level

The National Institute of Standards and Technology has defined technical requirements for four levels of assurance for individuals' identities online. Most public-facing applications today are Level 2, though agencies are increasingly offering two-factor authentication.

Level 1

  • Confidence: Little or none; identity usually self-asserted.
  • Example: Self-registration websites, such as news and social media sites.
  • Identity proofing requirements: None.
  • Token (secrecy) requirements: Any type of token, including a personal identification number.
Level 2
  • Confidence: Some confidence that the asserted identity is accurate.
  • Example: Changing the address in an account beneficiary's record.
  • Identity proofing requirements: Requires some identity proofing.
  • Token (secrecy) requirements: Single-factor remote authentication, typically a password.
Level 3
  • Confidence: High.
  • Example: Access to an online benefits or brokerage account.
  • Identity proofing requirements: Stringent.
  • Token (secrecy) requirements: Multifactor authentication, typically a password or biometric factor used in combination with user possession of a software token (stored in a Web browser, for example), a hardware token (such as a smart card or key fob) or a one-time password device token.
Level 4
  • Confidence: Very high.
  • Example: Access to government buildings and networks via agency-issued smart cards, such as Common Access Cards.
  • Identity proofing requirements: In-person registration.
  • Token (secrecy) requirements: Multifactor authentication that must include a hardware token with cryptography.
Sources: NIST, Office of Management and Budget

"The government is really not the holder of knowledge and information about us and what we do," he added.

Nonetheless, Schmitz said, "there is the perception that the government is Big Brother, and we had to carefully avoid that perception."

And sometimes, contracting with private-sector vendors can add to that suspicion, Behler said. Best practices for identity proofing call for using a wide variety of "out of wallet" data points -- predefined knowledge-based questions that could range from a favorite sports team to the name of one's first college roommate. But SSA quickly learned that "it was extremely creepy to citizens to think that the government knew who you lived with 10 years ago," Behler said.

"One of the ways we get over those concerns is that we make very clear what we're doing," he said. "We do not keep the information that comes from that out-of-wallet data provider. And folks are becoming more educated. They have more concerns about [their online] security."

Brenda Boldridge, an FHA program support officer, agreed that communication is the key. Although lenders generally understood the privacy issues and the need to guard against fraud, "there was some pushback on the need to purchase new software in order to interact with us," she said. But "the more you can educate and provide information on what you're doing and the benefits to them...you'll end up with a better outcome."

At DHS, Schmitz said, other steps were being taken to reassure wary HSIN users. Her department has offered training on "why we needed cybersecurity," she said. "When we explained about phishing and how easy it is to spoof email...they got it." And for the truly reluctant users, HSIN offers in-person proofing, where an individual can use hard-copy proof of identification to secure their online credentials. Fewer than 5 percent of HSIN users have opted for the manual process, Schmitz said.

USPS also plans to provide in-person verification, Glair said. Indeed, the agency's physical presence nationwide is one reason USPS was given such a central FCCX role. "This is all about choice for the citizen," he added.

Yet for all the choices, Alterman argued that the essential tension is always the same. When it comes to identity proofing, "the most usable is the least secure," he said. "The most secure is the most invasive. That's the game."

The fundamental question, he stressed, is "what do you actually, really need" to authenticate an individual online. "Once you know that, the question becomes how can you get that in the least invasive way, and how can you protect it in the most secure way."

Featured

Reader comments

Sun, Aug 24, 2014

"Nonetheless, Schmitz said, "there is the perception that the government is Big Brother, and we had to carefully avoid that perception."" That is a reality, not a perception. I would trust my private information to many private vendors above government. Government is full of incompetent people that don't care, or worse.

Thu, Aug 14, 2014

And so? Your point?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above