ID management without the Big Brother baggage

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Michael Hardy

By Michael Hardy

|

The government has been trying for years to balance privacy, convenience and security for agencies' online customers. Can the latest efforts finally get traction?

Shutterstock image (by alphaspirit): hidden identity of an individual under a mask.

This Facebook game seems like harmless fun: Derive your "porn name" by combining the name of your first pet and the name of the first street you lived on. You and your friends take turns posting the hilarious results -- Fritz King for yours truly, for example, perhaps co-starring with Snowball Elm and Bruiser 5th Avenue.

But when you sign up for a new account on a website, you often have to choose challenge questions -- such as the name of your first pet or the name of the first street you lived on. Although most people who share such amusements mean no harm, they expose information that identity thieves could use to hack into accounts.

The federal government is struggling with identity management for public-facing websites, and the example above highlights one of the key difficulties -- teaching people to protect such seemingly innocuous information.

The General Services Administration's 18F is leading the charge with Login.gov, an effort to create an authentication platform for agencies to share that would lead to a uniform approach rather than dozens of separate systems. Login.gov will replace GSA's earlier effort, Connect.gov.

Why it matters

Americans entrust various agencies with the kinds of personal information that identity thieves love to steal. It is incumbent on government, therefore, to safeguard the data, and recent high-profile breaches show how hard it can be. In 2015, for example, the IRS' Get Transcript application was compromised by hackers who used information gleaned elsewhere to access more than 700,000 taxpayer accounts.

Identity management is the cornerstone of digital government, said Jennifer Kerber, former director of Connect.gov and now a director at Grant Thornton.

However, asking people to create a separate username and password for each site they visit quickly becomes onerous. It's not just the government; people have credentials for every account they maintain, whether it's for the IRS or iTunes, Medicare or Amazon. Eventually, most people default to applying just one or two passwords to every account they open or writing down dozens of strong passwords. Neither practice constitutes good security.

Fundamentals

Kerber said the government needs to go beyond usernames and passwords, and she cited studies showing that many data breach attempts succeed because legitimate users rely on weak, easily guessed passwords or never reset a system from a default password.

Meanwhile, the ease with which many internet users give up information such as their first pet's name means that knowledge-based authentication -- verifying identity with questions that only the actual individual is likely to answer correctly -- is also a dicey strategy.

"With the advent of social media and the new generation of folks who just put everything online, it's not as secure as we hoped," Kerber said. "That's why we're having to move beyond that."

If there is a silver lining, it is that most government websites do not need to collect personal information, said Michael Garcia, acting director of the National Strategy for Trusted Identities in Cyberspace (NSTIC) at the National Institute of Standards and Technology.

"As much as we think about government needing to know your true identity, the reality is that for most government services that are constituent-facing, you really don't," he said. Visitors who come to a site to look up statistics, download forms or subscribe to newsletters, for example, need not be asked to authenticate their identities.

Key hurdles

Nevertheless, many agencies do require personal information, and people increasingly expect government services to be available online. Authenticating identities and safeguarding authentication information are difficult for several reasons, including the challenge of educating people to behave smartly online.

And unfortunately, problems never stay solved, Kerber said. As fast as solutions are launched, adversaries start finding ways around and through them. "The hackers are always trying to get the information you have," she said. "In today's society, data is value. That's what everybody wants."

Garcia said there is a tension between security and access. When security measures are strengthened, "you're going to have more individuals who are the rightful owners of that information who are rejected," he said. "It's unfortunate. We wish it weren't the case, but if that's the price we pay to prevent adversaries from getting access, it might be an acceptable cost."

The government needs to recognize the importance of authenticating and protecting people's identities, Kerber said. Recent efforts, including NSTIC's work and GSA's Connect.gov and Login.gov, are examples of the kinds of sustained efforts that are needed, she added.

"It's complex, and I think it's suffered from a lack of consistent investment," she said. "When they look at digital identities, digital authentication, I think the government really needs to look at it as an investment in infrastructure. Rather than making it a reimbursed shared service, it should just be something the government funds."

What's next

Still, Kerber said, the outlook is encouraging. "We're in the process of improving, and I think we're starting to understand our security gaps," she added.

NIST is attempting to move the work forward with a revision to its Special Publication 800-63, which outlines best practices for identity management. The revised document will be open for public comment soon.

Garcia said a good approach to ID management should be multimodal. Using the Washington, D.C., subway system as an analogy, he noted that most riders use escalators to get to different levels of a station while some use elevators. When elevators are out of service, the system provides a shuttle bus to a nearby station that has working ones. The Defense Department is already moving toward such an approach for its personnel.

Similarly, an authentication method could require a smartphone, but there must be an alternative process for those who don't have a smartphone.

"We haven't really adopted that as simply the way life is for many of these online services," Garcia said. "You can't do it the same way for everybody. It just won't work."

Future-proofing is another key aspect of the revisions to SP 800-63, he added. For example, instead of specifying the pieces of evidence that an agency can use to verify a visitor's identity, the circular will describe the characteristics of good evidence.

"Over time, if other types of evidence emerge or existing types of evidence change, they can move between them by the way they innovate without us having to come back and point to it again," he said.

GSA's efforts are also encouraging, though not yet proven in practice. The Login.gov team is trying to learn from the Connect.gov experience, Garcia said, and the changes could represent real improvements if they work.

"Our office was a big proponent of the Connect.gov approach," he added. "There are some differences with the way Login.gov is currently implemented."

According to 18F, Login.gov builds on groundwork that Connect.gov laid, along with NIST, the White House's Cybersecurity National Action Plan and GSA's Federal Acquisition Service. It uses a combination of public and private identifiers to create a single-sign-on account for each user, adding multifactor authentication to enhance the basic password paradigm.

Importantly for privacy, Garcia said, the Connect.gov approach relied on existing commercial credentials to establish the user's authentication but does not store the data.

"The government does not have to create a new account and manage your information. There is no warehouse of personal information," he said of the Connect.gov efforts. "We do prefer to see leveraging of commercial credentials as a matter of choice. We don't have a problem with creating a government credential as well."

According to a system of records notice that GSA published in the Federal Register in August, Login.gov will ask only for information needed to provide the appropriate level of security. For access to information that requires only Level of Assurance 1, the system will ask for a username, password and phone number. For LOA3, to gain access to more sensitive personal information, additional factors such as Social Security numbers and financial and credit information will be required.

Once the user has been authenticated, the system assigns a meaningless, unique number to the data. The user can then be granted access to an agency website without providing the sensitive personal information again. GSA's partner agencies have access to the personal information only with the visitor's permission.

However, if Login.gov becomes the federal authentication platform of choice, it might face a big hurdle that also tripped up Connect.gov.

"The business model is awfully difficult," Garcia said. With Connect.gov, "we think we really nailed the technology, and it was a massive improvement over agencies' own solutions, but it was difficult to [develop] a cost-recovery model. You want the costs to be shared across agencies, but that's hard to do. If you can get over that hump, that's a huge gain."

Note: This article was updated on Dec. 5 to clarify that certain remarks from Michael Garcia referred to Connect.gov, not the more recent Login.gov efforts.

NEXT STORY: Better Weather Forecasts Ahead: NOAA's Next-Gen Satellite Lifts Off

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.