ID management without the Big Brother baggage
This Facebook game seems like harmless fun: Derive your "porn name" by combining the name of your first pet and the name of the first street you lived on. You and your friends take turns posting the hilarious results -- Fritz King for yours truly, for example, perhaps co-starring with Snowball Elm and Bruiser 5th Avenue.
But when you sign up for a new account on a website, you often have to choose challenge questions -- such as the name of your first pet or the name of the first street you lived on. Although most people who share such amusements mean no harm, they expose information that identity thieves could use to hack into accounts.
The federal government is struggling with identity management for public-facing websites, and the example above highlights one of the key difficulties -- teaching people to protect such seemingly innocuous information.
The General Services Administration's 18F is leading the charge with Login.gov, an effort to create an authentication platform for agencies to share that would lead to a uniform approach rather than dozens of separate systems. Login.gov will replace GSA's earlier effort, Connect.gov.
Why it matters
Americans entrust various agencies with the kinds of personal information that identity thieves love to steal. It is incumbent on government, therefore, to safeguard the data, and recent high-profile breaches show how hard it can be. In 2015, for example, the IRS' Get Transcript application was compromised by hackers who used information gleaned elsewhere to access more than 700,000 taxpayer accounts.
Identity management is the cornerstone of digital government, said Jennifer Kerber, former director of Connect.gov and now a director at Grant Thornton.
However, asking people to create a separate username and password for each site they visit quickly becomes onerous. It's not just the government; people have credentials for every account they maintain, whether it's for the IRS or iTunes, Medicare or Amazon. Eventually, most people default to applying just one or two passwords to every account they open or writing down dozens of strong passwords. Neither practice constitutes good security.
Kerber said the government needs to go beyond usernames and passwords, and she cited studies showing that many data breach attempts succeed because legitimate users rely on weak, easily guessed passwords or never reset a system from a default password.
Meanwhile, the ease with which many internet users give up information such as their first pet's name means that knowledge-based authentication -- verifying identity with questions that only the actual individual is likely to answer correctly -- is also a dicey strategy.
"With the advent of social media and the new generation of folks who just put everything online, it's not as secure as we hoped," Kerber said. "That's why we're having to move beyond that."
If there is a silver lining, it is that most government websites do not need to collect personal information, said Michael Garcia, acting director of the National Strategy for Trusted Identities in Cyberspace (NSTIC) at the National Institute of Standards and Technology.
"As much as we think about government needing to know your true identity, the reality is that for most government services that are constituent-facing, you really don't," he said. Visitors who come to a site to look up statistics, download forms or subscribe to newsletters, for example, need not be asked to authenticate their identities.
Nevertheless, many agencies do require personal information, and people increasingly expect government services to be available online. Authenticating identities and safeguarding authentication information are difficult for several reasons, including the challenge of educating people to behave smartly online.
And unfortunately, problems never stay solved, Kerber said. As fast as solutions are launched, adversaries start finding ways around and through them. "The hackers are always trying to get the information you have," she said. "In today's society, data is value. That's what everybody wants."
Garcia said there is a tension between security and access. When security measures are strengthened, "you're going to have more individuals who are the rightful owners of that information who are rejected," he said. "It's unfortunate. We wish it weren't the case, but if that's the price we pay to prevent adversaries from getting access, it might be an acceptable cost."
The government needs to recognize the importance of authenticating and protecting people's identities, Kerber said. Recent efforts, including NSTIC's work and GSA's Connect.gov and Login.gov, are examples of the kinds of sustained efforts that are needed, she added.
"It's complex, and I think it's suffered from a lack of consistent investment," she said. "When they look at digital identities, digital authentication, I think the government really needs to look at it as an investment in infrastructure. Rather than making it a reimbursed shared service, it should just be something the government funds."
Still, Kerber said, the outlook is encouraging. "We're in the process of improving, and I think we're starting to understand our security gaps," she added.
NIST is attempting to move the work forward with a revision to its Special Publication 800-63, which outlines best practices for identity management. The revised document will be open for public comment soon.
Garcia said a good approach to ID management should be multimodal. Using the Washington, D.C., subway system as an analogy, he noted that most riders use escalators to get to different levels of a station while some use elevators. When elevators are out of service, the system provides a shuttle bus to a nearby station that has working ones. The Defense Department is already moving toward such an approach for its personnel.
Similarly, an authentication method could require a smartphone, but there must be an alternative process for those who don't have a smartphone.
"We haven't really adopted that as simply the way life is for many of these online services," Garcia said. "You can't do it the same way for everybody. It just won't work."
Future-proofing is another key aspect of the revisions to SP 800-63, he added. For example, instead of specifying the pieces of evidence that an agency can use to verify a visitor's identity, the circular will describe the characteristics of good evidence.
"Over time, if other types of evidence emerge or existing types of evidence change, they can move between them by the way they innovate without us having to come back and point to it again," he said.
GSA's efforts are also encouraging, though not yet proven in practice. The Login.gov team is trying to learn from the Connect.gov experience, Garcia said, and the changes could represent real improvements if they work.
"Our office was a big proponent of the Connect.gov approach," he added. "There are some differences with the way Login.gov is currently implemented."
According to 18F, Login.gov builds on groundwork that Connect.gov laid, along with NIST, the White House's Cybersecurity National Action Plan and GSA's Federal Acquisition Service. It uses a combination of public and private identifiers to create a single-sign-on account for each user, adding multifactor authentication to enhance the basic password paradigm.
Importantly for privacy, Garcia said, the Connect.gov approach relied on existing commercial credentials to establish the user's authentication but does not store the data.
"The government does not have to create a new account and manage your information. There is no warehouse of personal information," he said of the Connect.gov efforts. "We do prefer to see leveraging of commercial credentials as a matter of choice. We don't have a problem with creating a government credential as well."
According to a system of records notice that GSA published in the Federal Register in August, Login.gov will ask only for information needed to provide the appropriate level of security. For access to information that requires only Level of Assurance 1, the system will ask for a username, password and phone number. For LOA3, to gain access to more sensitive personal information, additional factors such as Social Security numbers and financial and credit information will be required.
Once the user has been authenticated, the system assigns a meaningless, unique number to the data. The user can then be granted access to an agency website without providing the sensitive personal information again. GSA's partner agencies have access to the personal information only with the visitor's permission.
However, if Login.gov becomes the federal authentication platform of choice, it might face a big hurdle that also tripped up Connect.gov.
"The business model is awfully difficult," Garcia said. With Connect.gov, "we think we really nailed the technology, and it was a massive improvement over agencies' own solutions, but it was difficult to [develop] a cost-recovery model. You want the costs to be shared across agencies, but that's hard to do. If you can get over that hump, that's a huge gain."
Note: This article was updated on Dec. 5 to clarify that certain remarks from Michael Garcia referred to Connect.gov, not the more recent Login.gov efforts.
Technology journalist Michael Hardy is a former FCW editor.