Draft contract states ID confirmation for "MyE-Verify" would be hosted in a remote facility.
The Department of Homeland Security plans to try a novel identity check model that lets citizens put a freeze on their Social Security numbers.
That comes after lawmakers have pushed for a mechanism that locks down SSNs, so they can’t be used by immigrants to steal identities and fake work eligibility to gain employment.
The MyE-Verify tool became available Oct. 6 in select states and should be rolled out nationally by the middle of next year, officials at U.S. Citizenship and Immigration Services said Friday.
Now, in a twist, the agency is seeking a cloud-services provider -- such as an Amazon or Microsoft -- to host the backend of the ID verification system, while DHS runs the public website.
“It is a little bit the tip of the iceberg,” said Ken Ammon, chief strategy officer for security software provider Xceedium. “This is at its core a hybrid cloud solution. There's a lot of buzz around hybrid, but trying to point to someplace where you can actually see someone doing this” is rare.
With MyE-Verify, a legal employee creates an account by choosing a username and password, selecting password reset questions and taking an ID quiz generated by authentication service Equifax. The service asks for various details that only the rightful SSN-owner would know, such as the state that issued the SSN, driver's license number and loan information. The employee also picks a communications channel for a second ID confirmation – a phone call, text message or email message that contains a one-time passcode.
Once an account is created and verified, the user can access the lockdown feature.
The cloud provider would host the whole process offsite and has the option of partnering with Equifax or using its own identity-proofing service, USCIS officials said.
The government would be responsible for designing the public-facing online screens, incorporating the ID management service into the back-end via Web services and maintaining an existing service called E-Verify "SelfCheck" that lets legal residents confirm their work authorization status.
MyE-Verify users have to pass SelfCheck first.
Under a contemplated five-year contract, the agency seeks a contractor to “host and manage the service in a remote facility," states a USCIS draft statement of work. The company would "provide a fully hosted application programming interface (API) that includes identity proofing, account creation, account management and multi-factor authentication capabilities."
The work likely must be awarded and completed quickly -- the myE-Verify feature will be activated for about 25 states in early 2015, and all 50 states and U.S. territories in the middle of 2015, according to USCIS.
For this reason, Ammon said he expects the agency has already tested some products.
“I would hope that from their timeline they have already been talking to vendors,” he said. “That is a lot of moving parts to put together in short order.”
Employers for years have relied on E-Verify to check the work eligibility of job applicants. Federal contractors are required to use the system and some Congress members are urging for it to become mandatory in the private sector.
When MyE-Verify launched earlier this month, House Judiciary Committee Chairman Bob Goodlatte, R-Va., said in a statement: “Americans now have an easy way to prevent people from using their Social Security numbers to work unlawfully in the United States. This is an important improvement that I have long supported ."
He added: "We should continue to build upon the successes of E-Verify and require all U.S. employers to use it to check the work eligibility of their newly hired employees. This would go a long way toward protecting jobs for Americans and legal immigrants and deterring people from coming to the United States illegally.”