recommended reading

Verizon becomes first firm to offer certified online ID protection

Verizon has become the first company certified to offer high-level online identity protection for federal personnel and visitors to dot-gov websites, officials at the telecommunications firm announced Monday morning.

With agencies under budgetary pressure to move services online and data breaches spiking, ID providers are vying to offer departments, as well as businesses, easy, affordable means of ensuring people are who they say they are online. Verizon officials said the win opens the door for potential contracts with the Internal Revenue Service and other agencies that require a high level of ID trustworthiness for transactions, such as filing taxes directly through IRS.gov.

Until now, companies, including Google and Equifax, met the federal government's criteria for offering websites only the lowest of four "levels of assurance" -- Level 1, which simply confirms a username and password. Level 3 assurance, which Verizon now carries, requires checking a second piece of identifying data, such as a smart card containing personal information and biometric fingerprints.

"We are the first and only identity provider that's been certified at Level 1, 2 and 3," Verizon's chief identity strategist Tracy Hulver said.

During the past year, a number of government officials have had their personal and professional email credentials held hostage by hackers with a grudge, most recently at the United Nations. Some security experts say a two-step ID validation process may have quashed an invasion by hacktivists of the U.N.'s mail server.

Outsourcing credentialing to trusted ID providers could further shield federal employees from identity theft, Hulver said. "It greatly reduces the likelihood that someone is trying to pose as you," he added.

Commercial IDs allow Internet users to log in with one set of credentials on many sites without having to register their Social Security numbers across the Internet -- an added privacy bonus, say some civil liberties advocates. Several prominent agencies, including the IRS and Veterans Affairs Department, have dismal track records in securing personal information in-house, according to government audits.

The White House recently issued a directive ordering all federal agencies launching or upgrading Level 1 dot-gov sites to offer citizens the option of opening accounts using their existing commercial credentials. For example, visitors on CPSC.gov would be able to register through their Gmail accounts to receive recall updates from the Consumer Product Safety Commission. The Oct. 6 memo stated that departments only have to offer the type of sophisticated ID verification that Verizon now supplies "where appropriate and as resources permit."

Equifax is applying to become a certified Level 2 and Level 3 provider for the government, according to officials at Anakam, Equifax's identity proofing unit. The Obama administration this spring released a plan for linking together all ID providers in an "identity ecosystem," akin to a credit card payment system for verifying online IDs. The main hang-up with the National Strategy for Trusted Identities in Cyberspace, is not the technology, but rather universal buy-in from Internet companies, governments, businesses and consumers, according to administration officials. Verizon executives said they are committed to moving forward on the endeavor with competitors, including Google, McAfee and others.

By subscribing to Verizon's Level 3 services, federal customers essentially would hand over ID management to the company, including the work of enrolling users' personal data, distributing logins securely to them, and verifying those credentials for each transaction, Verizon officials said. Agencies would have the option of buying physical tokens for users or one-time passwords sent to their cellphones. Currently, no vendors are certified to provide the strongest layer of protection, Level 4, which requires a user to prove his or her identity in person before obtaining credentials.

Hulver said the cost of Verizon's offerings vary based on the size of a department's user base. A small, 50,000-person agency could pay between $8 and $20 per user. A department as big as the IRS, with hundreds of millions of users, may be charged $1 per person because the more users, the lower the unit cost of providing the service.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.