Step-up auth adds assurance to social media credentials
23 June, 2015
category: Corporate, Digital ID, Financial, Government, Library
FCCX rebrands to Connect.Gov
Program will enable yahoo, google, paypal IDs on gov sites
The Federal Cloud Credential Exchange (FCCX) is dead, long live Connect.Gov. Rebranding FCCX was a no brainer as people weren’t sure how to say FCCX (F-6?), spell it or what it was going to do, says Jennifer Kerber, program manager for Connect.Gov at the GSA.
“We wanted to change it and went with Connect.Gov because it connects users to the government,” Kerber explains.
The premise behind Connect.Gov is simple – enable individuals to access government web sites using credentials they already have. The GSA is testing the system now and plans to roll out citizen-facing applications throughout the year. “We want to do user experience testing, it comes down to providing a good experience for the consumer,” Kerber says.
The GSA also wants to make sure that consumers understand what’s going on when they use the system. While creating a new user account at different sites is a standard practice, it’s not one that people enjoy. Still, people might not understand what’s going on when they’re asked to enter a user name and password from an account they already have.
Connect.Gov is working with the USDA, IRS, the Centers for Medicaid and Medicare Services, Veteran’s Affairs and others agencies. The system accepts a number of level-one credentials, including Yahoo, PayPal and Google. The GSA also signed contracts with ID.me and Verizon to provide credentials that can be stepped-up to reach level two and level three assurance. The system will also accept government-issued PIV cards.
There are endless possibilities for different Connect.Gov uses, Kerber explains. “As a citizen, it would be great to have this secure digital credential that I can use for anything I want from paying taxes to getting veteran’s benefits,” she says. “I know that the information is secure and that I only give up the information that I choose.”
Agencies benefit because they don’t have to create or maintain an identity management system. Kerber is working with them to find out how they would like to use the system.
Eventually, Connect.Gov could be the underlying system that all federal agencies use for identity vetting and secure access. The groundwork is already in place for these systems; it’s a matter of making it work across agencies.
Some may scoff at using this for access to federal sites only, as many people don’t access these resources very often. But ultimately, it’s a matter of getting people comfortable using these new types of authentication systems.
Stepping up an airline web site
Others are also looking to take advantage of using step-up authentication for access to services. Janrain helps companies use social identities on their web sites and has worked with some of its customers to add step-up authentication.
The company is working with an airline to use social login to enable a customer to browse articles about travel, access loyalty information and book trips, says Jamie Beckland, vice president of marketing at the company.
“There’s a marketing site about vacation and if they want to share that article and add comments they would use a social login,” he explains. “But of they want to book a trip or check a loyalty balance, an additional layer of security is needed.”
This step up could be something as simple as another password that had previously been created, or it could be a one-time passcode delivered to a mobile device or a series of knowledge-based questions, Beckland explains.
Multi-factor is a must
There is a lot of upside to step-up authentication, but it’s not perfect. The process is simpler than visiting an office, providing documentation and receiving a physical token – but it’s not the easy, frictionless experience a lot of people want it to be.
“The problem with a strong credential is that it requires more upfront work by the user and they don’t want to do that,” says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions. “You have the competing factors of ease of use and strong authentication.”
Even knowledge-based authentication, a key component to many step-up processes, has its pros and cons. It can be accurate and helpful in identifying consumers remotely, but it can also be difficult, time consuming and fail to identify some people. “If you’re choosing picky enough questions there’s a chance they won’t remember the answer,” Ruddy says.
Another idea is to tie step-up authentication to an identity associated with a mobile device, Ruddy says. Consumers who have mobile phone contracts have to undergo a credit check so there is a certain level of stepped-up assurance inherently associated with that device. “If you can tie a person to a specific device – it’s not guaranteed to be in the hands of the right person – but there’s a strong inclination.”
Hulver advocates different authentication and assurance levels based on the risk of the transaction. Checking an account balance could be a low-level transaction – not even necessarily requiring a password – but if a consumer wants to pay a bill or transfer money then stronger authentication is necessary.
Adaptive authentication technologies could enable step-up authentication in the background without the consumer even knowing it. Checking an IP address, time of day the transaction is made or the geographic location where it’s performed could all be factors leading to higher levels of identity assurance, Hulver says. “It could also check if your mobile phone is within three-feet of where you’re making the transaction,” he says. “The chance of someone having your phone and knowing your user name and password is not that great.” These are the same types of technologies that are in place by banks and credit cards for fraud alerts and it’s all based on risk. “Risk is key,” says Ruddy. “People are adjusting their risk management systems and a lot of work has been done to make it more efficient and effective.”
These adaptive authentication schemes could also lead to even greater levels of assurance, because they collect more data as time goes on. “If you’re stepping up the authentication for one transaction then it should be stored and used at other relying parties,” Hulver explains. “Eventually over the course of three to six months, a consumer could reach even higher levels as the system learns more about them. Eventually it will be invisible and in the background.”