Government’s E-Authentication scheme just might work, study says
The government’s E-Authentication Initiative could serve as a model for far-reaching authentication programs linking government and private-sector organizations, an independent study of the system has concluded.
“It’s an opportunity to do something right once and reuse it,” said Dan Blum, one of the authors of the report
from Burton Group.
The E-Authentication Initiative is a governmentwide infrastructure allowing agencies to rely on digital credentials issued by other organizations. Because the government does not expect to issue a national identification card and individual agencies do not want to be in the business of issuing and managing digital certificates, the goal is to leverage standards-based off-the-shelf technology to authenticate the identity of persons accessing government information or services.
The initiative specifies four levels of assurance, with technical requirements for each level, and has standardized on version 1.0 of the Security Assertion Markup Language.
The program is in governmentwide pilot and is authorized to go into live production. A handful of agencies are participating in pilot programs using E-Authentication.
The General Services Administration hired the Burton Group, an IT research and consulting company in Midvale, Utah, to review the program.
“The E-Authentication Initiative’s goals are achievable,” the August report concluded. “The anticipated benefits are real and far-reaching.”
But the government can expect increasing challenges in expanding the scheme into an operational program. Business rules and contract terms for using the system may pose a greater challenge than the technology.
The advantage of a federated scheme based on industry standards is that agencies do not have to maintain their own credentialing infrastructure. For end users, it can provide a way to access resources with a single set of credentials.
Eventually, the trust relationships are expected to extend across public and private-sector boundaries in dynamic relationships.
“It is going to take five years or more before we have dynamic federations,” Blum said Wednesday in a briefing on the initiative.
The government has financially supported and cooperated with the Electronic Authentication Partnership, an industry organization working to establish business rules for interoperable authentication.
The Burton Group report recommends continuing and extending private-sector collaboration and expanding the standards supported by the initiative, converging on SAML 2.0 in the next two or three years.
Connect with the GCN staff on Twitter @GCNtech.