By Aliya Sternstein
December 5, 2011
Verizon has become the first company certified to offer high-level online identity protection for federal personnel and visitors to dot-gov websites, officials at the telecommunications firm announced Monday morning.
With agencies under budgetary pressure to move services online and data breaches spiking, ID providers are vying to offer departments, as well as businesses, easy, affordable means of ensuring people are who they say they are online. Verizon officials said the win opens the door for potential contracts with the Internal Revenue Service and other agencies that require a high level of ID trustworthiness for transactions, such as filing taxes directly through IRS.gov.
Until now, companies, including Google and Equifax, met the federal government's criteria for offering websites only the lowest of four "levels of assurance" -- Level 1, which simply confirms a username and password. Level 3 assurance, which Verizon now carries, requires checking a second piece of identifying data, such as a smart card containing personal information and biometric fingerprints.
"We are the first and only identity provider that's been certified at Level 1, 2 and 3," Verizon's chief identity strategist Tracy Hulver said.
During the past year, a number of government officials have had their personal and professional email credentials held hostage by hackers with a grudge, most recently at the United Nations. Some security experts say a two-step ID validation process may have quashed an invasion by hacktivists of the U.N.'s mail server.
Outsourcing credentialing to trusted ID providers could further shield federal employees from identity theft, Hulver said. "It greatly reduces the likelihood that someone is trying to pose as you," he added.
Commercial IDs allow Internet users to log in with one set of credentials on many sites without having to register their Social Security numbers across the Internet -- an added privacy bonus, say some civil liberties advocates. Several prominent agencies, including the IRS and Veterans Affairs Department, have dismal track records in securing personal information in-house, according to government audits.
The White House recently issued a directive ordering all federal agencies launching or upgrading Level 1 dot-gov sites to offer citizens the option of opening accounts using their existing commercial credentials. For example, visitors on CPSC.gov would be able to register through their Gmail accounts to receive recall updates from the Consumer Product Safety Commission. The Oct. 6 memo stated that departments only have to offer the type of sophisticated ID verification that Verizon now supplies "where appropriate and as resources permit."
Equifax is applying to become a certified Level 2 and Level 3 provider for the government, according to officials at Anakam, Equifax's identity proofing unit. The Obama administration this spring released a plan for linking together all ID providers in an "identity ecosystem," akin to a credit card payment system for verifying online IDs. The main hang-up with the National Strategy for Trusted Identities in Cyberspace, is not the technology, but rather universal buy-in from Internet companies, governments, businesses and consumers, according to administration officials. Verizon executives said they are committed to moving forward on the endeavor with competitors, including Google, McAfee and others.
By subscribing to Verizon's Level 3 services, federal customers essentially would hand over ID management to the company, including the work of enrolling users' personal data, distributing logins securely to them, and verifying those credentials for each transaction, Verizon officials said. Agencies would have the option of buying physical tokens for users or one-time passwords sent to their cellphones. Currently, no vendors are certified to provide the strongest layer of protection, Level 4, which requires a user to prove his or her identity in person before obtaining credentials.
Hulver said the cost of Verizon's offerings vary based on the size of a department's user base. A small, 50,000-person agency could pay between $8 and $20 per user. A department as big as the IRS, with hundreds of millions of users, may be charged $1 per person because the more users, the lower the unit cost of providing the service.
By Aliya Sternstein
December 5, 2011