Vets.gov offers new login security for users

Veterans looking to access online services via the Vets.gov portal can now identify themselves to the system using a USB-based physical security key, rather than having to remember password information.

"Your 90-year-old grandma applying to get her husband's benefits no longer has to have seven different passwords," Julie Meloni, director of product management at the U.S. Digital Service, said at Sept. 14 AFCEA ID Forum in Washington, D.C.

The "unphishable" security key comes from vendor ID.me. It's an identify service that grew out of an e-commerce business that Army veteran Blake Hall launched while he was attending Harvard Business School. His company's deal service called TroopSwap foundered as that e-commerce trend lagged, but it turned out the tool they'd built to verify and manage military identity had broader applciations.

Hall explains his tool as "Paypal for identity." Just as Paypal matches up credit card and bank account information to an online payment serivce, ID.me attaches a verified aspect of your identity, such as a drivers license, passport, student or military ID or  professional license, and makes it storable and portable for use across secure online services.

"You should never have to do the same thing twice as part of an identity transaction," Hall explained in an interview with FCW.

The ID.me digital wallet is one piece of the FIDO (Fast Identity Online) Alliance, a growing ecosystem of interoperable products and services designed to decrease reliance on passwords and support device-based authentication.

The ID.me service brings the FIDO U2F (Universal Second Factor) standard to goverment website login for the first time. Users of Vets.gov can now opt for the ID.me solution instead of other two-factor authentication protocols like a text message or a voice call to verify user identity. The service went live on Sept. 11.

The other advantage to a physical security key is that a scammer has to obtain physical access to the device to perpetrate fraud, taking away the ease and scalability of phishing and other email based attacks. It also eliminates the attack vectors of using email and account information to change a password remotely.

"We do not believe that knowledge should be used to verify identity, espeically in the wake of the Equifax breach," Hall said. "Name, date of birth, Social Security number is still useful to know if an identity is real and unique. What it is no longer useful for is to verify if the user claiming that identity is that person and not a malicious actor."

Many of the solutions approved by the FIDO Alliance can be embedded or attached to a mobile phone or device with a SIM card. What makes the ID.me service useful to the Department of Veterans Affairs is that it solves the authenication problem for older users who might not have mobile devices or who aren't comfortable using a security application. The physical keys themselves are available from multiple vendors, Yubico being the most prominent.

"Seniors, less affluent and less educated Americans don't have the hardware," Hall said. "But with ID.me, they can buy a $15 security key that is a one time-cost and is very easy to use." 

The demographic that uses VA services is "a microcosm of American society," Meloni said at the ID forum. "That causes problems in trying to figure out the best way to enable access to services."