GSA to build central identity hub as 18F takes over project
The idea was straightforward, give U.S. citizens the ability to use digital identities they already have in order to access federal web sites and services. Depending on the risk for a specific transaction, the citizen would be required to take additional identity-proving actions in order to step up the level of assurance.
This was the idea behind Connect.Gov. It was supposed to be a government-wide identity platform, but it appears the project is being scrapped. In its place, GSA is planning to build its own platform from scratch.
The U.S. Post Office started the project in 2013. To provide the underlying technology, a contract was awarded to SecureKey. The company runs a similar program in Canada, called Concierge, which enables citizens to use their financial services credentials for access to government sites.
Agencies started piloting application for Connect.Gov in 2015, but a number of factors contributed to low adoption, says one insider. The applications that agencies selected to test were small and obscure so citizens didn’t have strong incentive to use the system. Also, while credential providers had been set for the pilots — Verizon and ID.me — few people already had these credentials so usage numbers were low. Between the obscure applications and a small base of credentials the projects never gained significant traction.
While rumors have been swirling about the demise of Connect.gov, initiatives from the Obama administration have reinforced the need for the services the project was attempting to deliver. The Cybersecurity National Action Plan specifically called for multi-factor authentication to .gov sites, and it named the GSA to lead the effort.
18F, an entity within the GSA that helps federal agencies make IT acquisitions, is now overseeing that part of Obama’s plan. The future of Connect.gov or its remnants is unclear.
According to a blog post from 18F, the new project will build off the work from Connect.gov, but doesn’t say exactly how it will do this. “To build this login platform, we’re using modern, user-friendly, strong authentication and effective identity proofing technology. This new platform will leverage the extensive lessons we’ve gained from agency efforts in the past, including lessons learned from our counterparts in the UK who built GOV.UK Verify.”
Verify in the UK only accepts private sector credentials. 18F plans to create a platform that accepts them as well a way for citizens to sign up for government-issued credentials, Joel Minton, head of the project at 18F, told attendees at the Cloud Identity Summit. “We want to give the users choice but will be providing a government account option and manage that securely,” he says.
ID.me was one of the credential providers for Connect.Gov. The company’s CEO Blake Hall says that the project will be shuttered in August as 18F plans to build “something new.”
According to Hall, they didn’t receive much feedback from agencies participating in the pilots. There were some rumblings that the system was slow and it was impacting the user experience, but there wasn’t much overall feedback.
18F has taken over the project and plans to build its own identity broker, attribute provider and single sign-on system for all agencies, Hall says. This was discussed at a meeting that Hall had with 18F officials.
“Creating a central account for all citizen information is troubling,” he says. “It’s both Orwellian and would create one of the biggest honeypots of information for hackers to go after. I believe in a federated model that gives consumers choice. It would be horrible if any one private sector company had all Americans’ personal data in one place — but for that entity to be the federal government, absolutely not.”
Connect.Gov was also under the umbrella of the National Strategy for Trusted Identities in Cyberspace, which proposed a public and private partnership to solve the digital identity woes facing citizens. Having a government-only solution goes against that idea, Hall says.
Hall isn’t the only one that’s upset. There has been a bit of private sector backlash against 18F taking over the project. Twitter was aflutter after the 18F blog post, with one poster saying the government had been the equivalent of Lucy from “Peanuts” holding the football for the Charlie Brown – the private sector — and then pulling it away at the last second.
But until the GSA and 18F release concrete plans for the new identity platform, it’s unclear what the future will hold.