Outside firms to help with online ID checks

Officials at the General Services Administration are building a system to check the identities of users doing business with agencies online, and they plan to rely on outside organizations to generate users' digital credentials.

GSA's e-Authentication system will enable users to access agency networks using a Web browser, which will contain their digital identities, said David Temoshok, director of identity policy and management at GSA. The verification system will be flexible enough to potentially let millions of Americans, businesses and government entities gain access to protected federal networks and information systems, he said.

Rather than require users to have federally issued digital credentials, the government will accept credentials issued by organizations it trusts such as banks, colleges or security firms. That trust will be built on commonly agreed-upon business rules, policies and technologies, Temoshok said.

Support for GSA's plan appears to be growing inside and outside the government.

"It's taking the level of security up a couple of notches," said John Hunt, a partner with PricewaterhouseCoopers, a management consulting company. "And it's going to save taxpayer money."

A Transportation Department official said the agency will be among the first to hook some transactional systems into the user-authentication infrastructure that GSA is building. The effort will be DOT's largest security project in fiscal 2005, said Lisa Schlosser, the department's associate chief information officer for information technology program management.

Last week, GSA officials released more details about the infrastructure and how it will be used. For example, it could help verify that citizens who apply online for federal loans or grants are who they claim to be.

Depending on the type of transaction, the public will present different credentials to prove their identities. Transactions requiring a high degree of security, such as applying for government benefits, will require stronger security credentials than gaining access to a password-protected federal Web site.

After passing an authentication test, citizens will be authorized, or not, to gain access to a particular agency network and information system.

GSA's e-Authentication service will not require a nationwide system of unique identifiers such as Social Security numbers or a central registry of personal information, Temoshok said. Instead, it will be based on what he called a federated identity management model, which depends on relationships of trust among the federal government, other governments and businesses that issue identity credentials.

Behind GSA officials' ambitious project is a federally run interoperability-testing lab to ensure the compatibility of commercial authentication products on which the service will depend. Agency officials will continue to operate the lab until industry leaders come together around a single standard for e-authentication or establish a similar interoperability testing facility, Temoshok said.

Using Web browsers for e-authentication is the only practical solution for 280 million U.S. citizens, he said. But for internal transactions among agencies and within agencies, GSA will follow the Defense Department's lead in adopting secure smart cards to verify federal employees' identities for both online access and physical access to government buildings.

The public is confident, for example, in financial institutions' ability to protect electronic information, which should translate well into public acceptance of the federated identity model, said Maurice McTigue, director of the Government Accountability Project at George Mason University's Mercatus Center.

"If GSA is a trader in there, instead of a rule maker," McTigue said, "it's going to keep its services very current."

He said GSA's plan reflects another broader government trend. "Governments are accepting that they have to move away from command-and-control approaches to an approach that looks for high standards...but does not try to control the situation all the time," he said.


GSA: In search of e-authentication partners

The General Services Administration has adopted a federated identity management model for its online user-authentication service. For the model to work, GSA officials must:

Create voluntary partnerships with other government, private-sector and nonprofit organizations.

Agree with the agency's partners on common policies and practices for using electronic credentials.

Develop a process for evaluating credentials.

Work with other nations' online identity systems.

Source: Electronic Authentication Partnership


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.