Government’s E-Authentication scheme just might work, study says

The government’s E-Authentication Initiative could serve as a model for far-reaching authentication programs linking government and private-sector organizations, an independent study of the system has concluded.

“It’s an opportunity to do something right once and reuse it,” said Dan Blum, one of the authors of the report from Burton Group.

The E-Authentication Initiative is a governmentwide infrastructure allowing agencies to rely on digital credentials issued by other organizations. Because the government does not expect to issue a national identification card and individual agencies do not want to be in the business of issuing and managing digital certificates, the goal is to leverage standards-based off-the-shelf technology to authenticate the identity of persons accessing government information or services.

The initiative specifies four levels of assurance, with technical requirements for each level, and has standardized on version 1.0 of the Security Assertion Markup Language.

The program is in governmentwide pilot and is authorized to go into live production. A handful of agencies are participating in pilot programs using E-Authentication.

The General Services Administration hired the Burton Group, an IT research and consulting company in Midvale, Utah, to review the program.

“The E-Authentication Initiative’s goals are achievable,” the August report concluded. “The anticipated benefits are real and far-reaching.”

But the government can expect increasing challenges in expanding the scheme into an operational program. Business rules and contract terms for using the system may pose a greater challenge than the technology.

The advantage of a federated scheme based on industry standards is that agencies do not have to maintain their own credentialing infrastructure. For end users, it can provide a way to access resources with a single set of credentials.

Eventually, the trust relationships are expected to extend across public and private-sector boundaries in dynamic relationships.

“It is going to take five years or more before we have dynamic federations,” Blum said Wednesday in a briefing on the initiative.

The government has financially supported and cooperated with the Electronic Authentication Partnership, an industry organization working to establish business rules for interoperable authentication.

The Burton Group report recommends continuing and extending private-sector collaboration and expanding the standards supported by the initiative, converging on SAML 2.0 in the next two or three years.


About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected