Retooling e-authentication

In the future, conducting confidential business with the government via the Internet could mean that citizens will use electronic credentials issued by commercial entities, such as banks, to prove they are who they claim to be.

A draft document, which has not been widely circulated, describes how the federal government plans to simplify secure online transactions and communications.

Issued by the General Services Administration's e-Authentication program, the document states that authorized credential services companies and government agencies, in some cases, would issue electronic credentials to users before they submit address changes to the Social Security Administration, for example.

For transactions that are relatively low-risk from a security or privacy standpoint, citizens would receive passwords or personal identification numbers. For higher-risk exchanges, such as money transfers or the sharing of medical or financial information, citizens would be issued new digital certificates or would reuse existing ones to verify their identities when logging on to a network.

"If the government has already issued you a passport in person, it might also be able to issue you an electronic credential that could be used for higher-risk transactions down the road," said Trent Henry, a security analyst at the Burton Group, an information technology

research and consulting company.

Federal officials continue to revise their plans for how to verify the identities of

citizens and others who want to conduct business or communicate with the government using the Internet. Members of the e-Authentication Executive Steering Committee say they are inclined to follow industry's lead on technical standards for

e-authentication.

"Our effort is to remain aligned with what's happening in the market," said Drew Ladner, chairman of the steering committee and the Treasury Department's chief information officer.

GSA, the lead agency for e-authentication efforts, has set aside its plans for creating a centralized governmentwide gateway. The General Accounting Office warned last September that it would be risky for GSA to take on a central role as an online authentication broker. Soon afterward, GSA officials began revising their plans.

Now, they are working out the details of a decentralized, "federated" approach to e-authentication. Compared with newer federated identity protocols, authentication credentials based on public-key infrastructure (PKI) technologies afford higher levels of assurance that people are who they claim to be. PKI technologies also are more versatile, Henry said.

"What really interests people is that PKI can do more than just authentication," he said, adding that a PKI is useful for encrypting and digitally signing documents as well. GSA officials are now seeking vendors that can supply smart cards based on federal PKI standards.

For technical managers who have been developing PKI standards for nearly a decade, the recent surge of interest from the Office of Management and Budget and GSA is welcome.

"We've been trying to build a federal PKI from the bottom up, agency by agency, and that's doing it the hard way," said William Burr, manager of the security technology group at the National Institute of Standards and Technology.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group