As ID management pilot takes shape, early agencies hop aboard

Less than two weeks after the U.S. Postal Service awarded a contract worth up to $15 million to Toronto-based SecureKey Technologies to provide the infrastructure for the government's first cloud-based identity management pilot, several agencies have already jumped onboard.

The USPS, which plans to develop the Federal Cloud Credential Exchange (FCCX), has been joined by the Department of Veterans Affairs and the National Institute of Standards and Technology; the General Services Administration will also play a role, according to a blog post by NIST senior privacy policy advisor Naomi Lefkovitz.

GSA is charged with overseeing the successful integration of FCCX with the Federal Identity Credential and Access Management (FICAM) policy – the process by which trusted framework providers are certified. GSA is also expected to build a governance framework and successful business model, Lefkovitz said in the post.

It has been rumored that a few other agencies are mulling participation in the pilot program, including the Internal Revenue Service, Department of Education and Social Security Administration, all of which assisted to some degree in developing the pilot's requirements.

The case for IRS involvement is a strong one given the results of a case study earlier in 2013 that suggested the IRS could save as much as $300 million annually by adopting an improved identify management system.

According to a USPS official, however, the pilot participants have not been finalized at this time.

FCCX is a direct result of the White House's National Strategy for Trusted Identities in Cyberspace initiative (NSTIC). If successful, its benefits will be simplifying the way citizens use government websites while theoretically reducing costs for participating agencies that would no longer have to utilize in-house ID management systems.

While the FCCX pilot is not finalized yet, the blueprint already exists through similar work SecureKey has done with the Canadian government, managing 1 million transactions per month and up to 10 million users. FCCX's capacity will be much larger, scaling to potentially handle hundreds of millions of users. The company has not announced its cloud partner yet.

The service works in much the same fashion that online payment gateway systems operate, according to SecureKey chief marketing officer Andre Boysen. From almost anywhere in the world, a credit card customer can withdraw money from an ATM without a merchant viewing the customer's credit card bill, and that kind of assurance coupled with privacy is exactly what the government wants for FCCX.

Boysen said FCCX will use a "triple blind" process that keeps the FCCX hub and relaying agency from knowing a user's personal information, while hiding the identity of the credential issuer and preventing user log-in data from being shared between agencies.

In this way, Boysen said, no party is privy to a majority of a user's private information.

The system works because of trust, he added. Participating agencies must trust the ID proofing and authentication of third-party credential providers, which must be approved by the Federal Identity, Credential, and Access Management (FICAM )program. Boysen said users play a role in that trust as well, selecting what kinds of personal information they wish to share and with whom.

In a hypothetical example, Joe User surfs to the IRS website and is offered log-in options that include FCCX. He chooses FCCX and is given a listing of FICAM-approved third-party certificate providers. If Joe User is a Citibank customer and Citibank is one of the approved certificate providers, he can use his banking username and password to authenticate his identity.

If the log-in is successful, Citibank – the credential provider – creates what Boysen called an "anonymous token" that gets passed to FCCX, which in turn "re-wraps it," hiding user information, and gives it to the requesting agency.

The agency then determines if the user is logging in for the first time, in which case he would go through a first-time enrollment process. If the user has logged in before based on the token information and identify proofing shows the user meets proper levels of assurance, he is logged in.

In the hypothetical example, Boysen said anonymous tokens ensure agencies cannot track users who log-in across different agencies. If Joe User goes to the VA's website after his visit to the IRS, neither agency would know.

While it sounds complex , Boysen said the whole process takes seconds.

"What we're trying to do is make use of the five to 10 things you use daily – those things you know really well and have no problem accessing or remembering," Boysen said.