Universal credentials are the future of online security, DHS says.
As early as next year, emergency crews responding to disasters such as Tuesday's Amtrak derailment could be able to access an incident command system using only their personal Gmail passwords.
Universal credentials are the future of online security, according to the Department of Homeland Security.
During a recent trial, roughly 1,100 government first responders nationwide, including California wildfire fighters, accessed the command system in this manner. This exercise in password consolidation is part of a federally-funded, industry-led effort to abolish the "Forget Your Password?" button.
The log-on overhaul at emergency response centers is Homeland Security's contribution to that effort, says Tom McCarty, DHS director of identity, credential and access management.
The department partnered with technology firm Criterion Systems to set up an "attribute exchange network" that verified federal, state and local emergency management professionals were who they claimed to be -- without making them create a new password and username.
The attribute exchange network "creates this kind of marketplace for authoritative attributes about people," McCarty said in an interview this month. In this particular test, first responders used their personal Gmail accounts to access the government-restricted incident command website.
That site, the DHS-sponsored Next-Generation Incident Command System, or NICS, is used to share maps of impacted areas, locations of emergency personnel across the country, terrain data and other environmental information for coordinating a quick response.
For example, the system allows responders to see where a partner organization’s resources are positioned so they all can figure out where to deploy fire trucks for containing a wildfire, according to system developers.
"Before, you had to sign up and get another username and get another password. And they did this kind of manual process to figure out if you were a first responder or not," McCarty said. "A big part of our program is to try make life simpler for the user and make our systems and their sensitive data more secure."
The emergency management organizations, however, couldn't trust Google IDs -- comprising a name, email address and phone number -- to confirm ID holders were actually qualified to perform life-saving duties.
To obtain Google IDs and other social media credentials, “you enter some basic information and basically you can be anyone at the other end of the account," McCarty said.
Project participants had wanted to automate the checking of employment status, but funding ran out.
Instead, each organization's system administrator manually set the tool to only approve the Google IDs of crew members, said Paul Breimyer, technical staff at the Massachusetts Institute of Technology Lincoln Laboratory, which helped develop the DHS site.
Criterion was awarded $2 million by the Commerce Department's National Strategy for Trusted Identities in Cyberspace to pilot these types of "identity management" services, in the consumer and government space. The NICS experiment ran between October 2012 and April 2015, company officials said.
In 2016, "we should be able to verify their current status upon logging in," Breimyer said. "We didn’t get to that point."
Still, the initiative proved a universal password can securely and swiftly provide access to mission-critical homeland security systems.
"Perhaps it wasn’t a surprise, but it certainly validates the fact that the time of system-specific usernames and passwords is over," Breimyer said. "The socialization of single sign-on continues to be pretty rampant. And the user community is going to require it more and more moving forward. So as a system developer, we need to be cognizant of that. And frankly it’s fantastic because it’s another piece of infrastructure that we don’t have to provide."
Commerce's NSTIC vision is slowly taking shape elsewhere within the government.
Connect.gov, launched late last year, is intended to let citizens use one of their existing passwords -- from Google, ID.me, PayPal, Verizon and Yahoo -- to access various dot-gov applications. Retired military members, for example, can now apply for Department of Veterans Affairs health benefits online using a Verizon ID.
However, to date, only VA, Agriculture Department and National Institute of Standards and Technology accept the outside credentials.