In October, President Obama signed an executive order to fight identity theft – an order that primarily focuses on moving the government toward more secure payment cards through chip and PIN-enabled technology. The majority of the media attention around the order focused on this aspect. Section 3 of the order, a mandate ensuring that access to citizens’ personal data is protected behind strong identity authentication, was largely overlooked.
Section 3 states that within 90 days of the date of the Order (which is coming up soon), the National Security Council staff, the Office of Science and Technology Policy, and the Office of Management and Budget shall present a plan consistent with the 2011 National Strategy for Trusted Identities in Cyberspace (NSTIC) to ensure that “all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
Featured Download: Social media access at work. Do your employees know the rules?
To meet this requirement, agencies have two main options: high-friction identity proofing (such as employing traditional identity confirmation techniques like questions about past addresses, first cars, or sending passcodes to correlated cell phones) and setting a multi-factor authentication login that a user must remember for that particular website; or employing a federated ID methodology in which a trusted third party identity provider – accredited by the Federal and Identity Credential Access Management Standards (FICAM)— enables a user to have a single, multi-factor login across multiple websites.
The primary problem with the former method is that the current state of multi-factor authentication within government agencies is siloed, and user credentials and passwords are not portable across agencies. This requires citizens to not only remember usernames and passwords for each agency but also remember different multi-factor authentication schemes that are specific to individual agencies.
In this scenario, if a citizen is interacting with the IRS and then also with the Social Security Administration, they will have to undergo identity proofing twice and set up two separate sets of credentials, making it far more taxing to the end-user.
Alternatively, agencies may accept credentials that are already verified and issued by outside identity providers. Besides the obvious benefit of eliminating the requirement to the consumer to create another account, this method proves to be extremely cost effective, as established in a study conducted by NIST. The study found that if the IRS adopted the NSTIC approach of leveraging accredited third-party credentials, the up-front adoption costs would be $40 million to $111 million less than an IRS-only proprietary authentication system, and annual costs would be $2 million to $19 million lower. In the private sector, social media login provider Janrain claims that sites that accept externally issued credentials have conversion rates at least 50% higher relative to those sites that do not accept them.
The executive order reinforces the national strategy that was already laid out in NSTIC and now presents an opportunity to change the paradigm of cybersecurity. Beyond the cost and efficiency savings, a network approach to identity that leverages outside identity providers offers enhanced fraud detection capabilities because the network can detect anomalies if a particular identity is being used too often or in a manner that is associated with malicious intent. These benefits make it clear that by simply leveraging trusted credentials that citizens already possess, government agencies can enable a higher quality, lower cost method of secure authentication while drastically reducing friction to the consumer.
By Ryan Fox, Chief Product Officer, ID.me
About ID.me
ID.me is a member-based service that allows members to securely prove their group IDs through our site so military and student members can receive exclusive offers and enjoy shopping online. The personal information members add to their ID.me account is always protected and under your control. The company limits the type of data its partners can request, and at any time members can revoke a partner’s access or delete their account and information entirely.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.