Step-up auth adds assurance to social media credentials
23 June, 2015
category: Corporate, Digital ID, Financial, Government, Library
Obama calls to step-up with multi-factor auth
Last fall, President Barack Obama signed an executive order on cybersecurity that aims to protect consumers from identity theft.
It requires federal agencies to issue and accept EMV payment cards and take extra precautions online when protecting citizens’ personal information. The focus of the announcement was the use of EMV, a more secure payment technology. But even more significantly, a short section of the executive order mandates a move to more secure authentication by government agencies.
The order calls for government agencies to conduct proper identity vetting before enabling access to personal information and then putting multi-factor authentication in place to secure the access to that data.
“This is the government raising the bar,” says Jeremy Grant, Senior Executive Advisor for Identity Management, NIST. “We’re not just going to be letting people in with user names and passwords, and we’re going to make sure they are who they claim to be.”
Exactly how this will be done has not yet been revealed. Government agencies were working on a plan for how such a system would rollout and as of press time no further updates were available.
The idea behind the executive order is not a small challenge, says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions. Moving to strong identity vetting and multi-factor authentication throughout government is a huge task. “The challenge is coordinating across all the agencies and sub-agencies and getting them all to sing off the same sheet music,” he explains.
The executive order calls for agencies to implement identity vetting and multi-factor by mid-2016. The lack of standardized processes around these poses problems, Hulver says. “Identity touches everyone,” he says. “Rolling out an identity system isn’t as easy as turning on a new firewall.”
It’s likely that agencies will team up and use the same processes and systems. “You’ll log in to one site that might share a credential with other agencies,” Hulver adds. “What should happen is that I sign up for one credential that is used across all government sites, but that’s not going to happen.”
Too many agencies with different focuses and the lack of a central entity to move the project forward, will likely mean different systems across government, Hulver explains. At this point there are more questions than answers. “Will there be consistency across the agencies? How will they identity proof citizens? Will vendors who supply the credential get access to information?” Hulver asks. “It’s going to be a big challenge but it has to happen.”
There are some who are predicting that there may be one central service that offers both citizen identity proofing and multi-factor authentication. The Federal Cloud Credential Exchange (FCCX) – now Connect.Gov – may well be that service. It is set to launch in 2015 and will enable citizens to use existing credentials for access to government sites.
The majority of the credentials Connect.Gov will accept are level one, self-asserted identities, but there are a handful of credentials that have more assurance behind them, including PIV, PIV-I, Verizon and ID.me.
I hope that agencies look at what’s been done with the NSTIC and don’t go out and do their own thing. The objective is interoperability and privacy, not taller walls and deeper moats
ID.me hopes that agencies create systems to enable the use of the same credentials, says Ryan Fox, chief product officer at the company. “I hope that agencies use the guidance and look at what’s been done with the National Strategy for Trusted Identities in Cyberspace and don’t go out and do their own thing,” he explains. “The objective here is interoperability and privacy enhancing technologies, not taller walls and deeper moats.”