The U.S. Department of Commerce last year announced three pilots in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC).
The $3 million in grants will be shared among the three recipients – MorphoTrust, Confyrm and GSMA – as they pilot solutions exploring mobile devices instead of passwords for online authentication, minimization of loss from ID theft and improved access to state services.
This is the third round of NSTIC pilots with seven awarded in 2013 and five in 2012.
MorphoTrust: Strong identities for N.C. residents
Through their recent grant, MorphoTrust is creating an electronic ID to help North Carolina citizens access online services.
The goal is to authenticate identity online with the same security and privacy protection as in-person transactions – using a virtual ID that as trustworthy, low-cost and readily available as a driver license.
Forty-two states use MorphoTrust solutions for driver license programs and state ID credentials. The company also provides face, fingerprint and iris biometric solutions to the federal government. Its enrollment services division registers people nationwide for a variety of programs including the Transportation Worker Identification Credential.
MorphoTrust’s NSTIC pilot was born out of a specific problems the company thought it could address.
“We thought we could help verify that people are who they claim to be online,” says Mark DiFraia, senior director of solutions strategy at MorphoTrust. “If that problem can be alleviated, obviously the risk associated with online transactions could be reduced, but it could also open up the doors for many more things to be accomplished online.”
The MorphoTrust proposal consists of three main goals:
- Prove that an electronic ID can be created that carries the trust of a secure credential and can be used to eliminate in-person identity proofing requirements
- Demonstrate elevation of trust using biometric multi-factor authentication
- Define a framework through which state and commercial entities can trust each electronic ID in their transactions
The two-year, $1.5 million pilot will be carried out in partnership with the North Carolina Department of Transportation and Department of Health and Human Services. Additional pilot partners include The University of Texas at Austin Center for Identity, Gluu, Toopher, miiCard and Privacy Engineer Debra Diener.
The pilot will issue North Carolina residents an electronic identity when they get their driver license, says James Varga, CEO and founder at miiCard, an online identity service. “MiiCard isn’t a physical card, it’s a digital one. Think of it as a digital passport or a virtual version of your driver license that you use like you would a Facebook or a LinkedIn account to log into a site,” explains Varga. “As a miiCard user, you can decide what you want to share and what you don’t. This is one of the key objectives for us – to put consumers back in control of their identity.”
A goal is to prove that the identity that Health and Human Services users have online can be extended to common commercial use cases. “Then everyone in the online community can see just how these kinds of trusted identities can be leveraged in a wide variety of uses,” DiFraia says.
Involvement in driver license programs across the country is likely one reason for the pilot win, DiFraia says. “Also, we’re solving a very real problem in North Carolina helping to bring people into the Health and Human Services’ Food and Nutrition Services Program online through new channels,” he adds. “If we can prove that this channel is viable and secure, it brings a new level of efficiency.”
If the pilot is successful, DiFraia says the work will likely expand to other North Carolina agencies, other states and the commercial sector.
“It allows the government to safely leverage strong identities to solve own problems,” says DiFraia. ”And it gives the consumer control of the highly trustworthy online identity token.”
“The project has the opportunity to break through a threshold of trust that has so far been elusive in the online world,” says DiFraia. “We’re hopeful that we can have that kind of wide sweeping impact on how people do business online in the future.”
Confyrm: Curbing loss from account takeover
The two-year old UK identity company Confyrm is already making a big impact as a winner of one of the third round of NSTIC grants.
Confyrm was awarded $2.4 million to demonstrate ways to minimize loss when criminals create fake accounts or take over online accounts. A key barrier to federated identity – where an identity provider vouches for an individual at other sites – is the concern that accounts used may not be legitimate or in the control of their rightful owner.
Account compromises and the subsequent misuse of identity often results in destruction of personal information, damage to individual reputations and financial loss. Confyrm will demonstrate how a “shared signals” model can mitigate the impact of account takeovers and fake accounts through early fraud detection and notification, says Andrew Nash, founder and CEO of Confyrm.
Nash says the fundamental infrastructure, software and technologies have already been built at a prototype level. The grant money will be used to demonstrate how companies and consumers can minimize losses when criminals create fake accounts or take over existing accounts.
“You’ve had to hit the password reset button to get back into your online financial account,” Nash says. “The email address or SMS address that’s recorded for you in association with that account is used as a trusted communication channel.”
Clicking on the link included in that message takes the user back to the site, providing a fairly high level of confidence that the user is the account owner.
“All of this works fine right up until the point that the email account has been subverted. If someone else is in control of your email account, the person hitting the password reset is also the person who is about to get control of your financial account,” Nash says. “We’re creating a shared mechanism for passing information about accounts between various participants to detect these kinds of problems.”
Confyrm isn’t releasing information yet about its half dozen partners in the pilot project. What is known, however, is that the company is working with an email provider, a mobile operator and multiple e-commerce sites. “We are building out a series of use cases to look at how we can share information between these participants,” Nash says.
The intent is to keep details about who publishes the event private in order to make participants feel comfortable sharing information. It is essential to ensure that the user’s privacy is maintained and kept separate from the communication, because there’s no way to be certain if the user is the actual account owner or the fraudster.
One of the company’s first deliverables was a white paper for the Open Identity Exchange titled “The Shared Signals Model.”
“We have been working from that model to come up with concrete mechanisms to talk about how identity information can be shared between participants in a way that allows parties to understand what’s going on across the ecosystem,” Nash says.
As Confyrm worked on discovery projects with the UK government, this Shared Signals Model kept coming up as part of the concept of sharing technology between governments, Nash explains. He says that got the attention of the NSTIC folks, who encouraged Confyrm to apply for a pilot grant.
“Initially I was somewhat reticent,” he says, knowing that applying for the grant would be a large undertaking. Now, however, he says they have the chance to make real-world changes.
He provides another example of this real-world change.
“Imagine that you have used an identity provider and you change your password at that identity provider, but you’ve still got sessions open with various relying parties,” Nash says. “At the moment, there’s no way to convey to the relying parties that a password reset has occurred and that they ought to tear down those sessions and reestablish them.”
Making sure that all the parties are aware of the change is crucial. “Something that happens at Apple can ultimately affect your Twitter account in terms of takeovers,” Nash explains. “So being able to share that information to avoid these cascading kinds of attacks is really useful.”
Nash says the partners are excited about the potential to have a major impact on improving trust and privacy mechanisms in the identity space. “We need to be able to make this an operational reality,” Nash says. “We’ve got a lot to learn, but we think that we’ve got some pretty good starting points.”
GSMA: Uniting U.S. carriers for mobile ID scheme
GSMA has partnered with America’s four major mobile network operators to pilot a common approach – interoperable across all four operators – that will enable consumers and businesses to use mobile devices for secure, privacy-enhancing identity and access management.
GSMA’s global Mobile Connect Initiative is the foundation for the pilot; the initiative will be augmented in the U.S. to align with NSTIC. By enabling any organization to easily accept identity solutions from any of the four operators, the solution would reduce a significant barrier to online service providers accepting mobile-based credentials. GSMA also will tackle user interface, user experience, security and privacy challenges, with a focus on creating an easy-to-use solution for consumers.
At press time, the GSMA was unable to provide additional details on the pilot.