ExecTech
ID management without
the Big Brother baggage
The government has been trying for years to balance privacy, convenience and security for agencies’ online customers. Can the latest efforts finally get traction?
BY MICHAEL HARDY
This Facebook game seems like harm- less fun: Derive your “porn name” by combining the name of your first pet and the name of the first street you lived on. You and your friends take turns posting the hilarious results — Fritz King for yours truly, for example, perhaps co-starring with Snowball Elm and Bruiser 5th Avenue.
But when you sign up for a new account on a website, you often have to choose challenge questions — such as the name of your first pet or the name of the first street you lived on. Although most people who share such amuse- ments mean no harm, they expose information that identity thieves could use to hack into accounts.
The federal government is struggling with identity management for public- facing websites, and the example above highlights one of the key diffi- culties — teaching people to protect such seemingly innocuous information.
The General Services Adminis- tration’s 18F is leading the charge with Login.gov, an effort to create an authentication platform for agencies to share that would lead to a uniform approach rather than dozens of sepa- rate systems. Login.gov will replace GSA’s earlier effort, Connect.gov.
Why it matters
Americans entrust various agencies
with the kinds of personal informa- tion that identity thieves love to steal. It is incumbent on government, there- fore, to safeguard the data, and recent high-profile breaches show how hard it can be.
In 2015, for example, the IRS’ Get
Transcript application was compro- mised by hackers who used informa- tion gleaned elsewhere to access more than 700,000 taxpayer accounts.
Identity management is the corner- stone of digital government, said Jen- nifer Kerber, former director of Con- nect.gov and now a director at Grant Thornton.
However, asking people to create a separate username and password for each site they visit quickly becomes onerous. It’s not just the government; people have credentials for every account they maintain, whether it’s for the IRS or iTunes, Medicare or Ama- zon. Eventually, most people default to applying just one or two passwords to every account they open or writing down dozens of strong passwords. Nei- ther practice constitutes good security.
Fundamentals
Kerber said the government needs to go beyond usernames and passwords, and she cited studies showing that many data breach attempts succeed because legitimate users rely on weak, easily guessed passwords or never reset a system from a default password.
Meanwhile, the ease with which many internet users give up information such as their first pet’s name means that knowledge-based authentication — ver- ifying identity with questions that only
THE FEDERAL GOVERNMENT IS STRUGGLING WITH IDENTITY MANAGEMENT FOR PUBLIC-FACING WEBSITES, AND ONE OF THE KEY DIFFICULTIES IS TEACHING PEOPLE TO PROTECT SEEMINGLY INNOCUOUS INFORMATION.
26 November/December 2016 FCW.COM