ExecTech
digital identities, digital authentication, I think the government really needs to look at it as an investment in infra- structure. Rather than making it a reim- bursed shared service, it should just be something the government funds.”
What’s next
Still, Kerber said, the outlook is encour- aging. “We’re in the process of improv- ing, and I think we’re starting to under- stand our security gaps,” she added.
NIST is attempting to move the work forward with a revision to its Special Publication 800-63, which outlines best practices for identity management. The revised document will be open for pub- lic comment soon.
Garcia said a good approach to ID management should be multimodal. Using the Washington, D.C., subway system as an analogy, he noted that most riders use escalators to get to dif- ferent levels of a station while some use elevators. When elevators are out of service, the system provides a shuttle bus to a nearby station that has working ones. (The Defense Depart- ment is already moving toward such an approach for its personnel; see “DOD looks beyond Common Access Cards.”)
Similarly, an authentication method could require a smartphone, but there must be an alternative process for those who don’t have a smartphone.
“We haven’t really adopted that as simply the way life is for many of these online services,” Garcia said. “You can’t do it the same way for everybody. It just won’t work.”
Future-proofing is another key aspect of the revisions to SP 800-63, he added. For example, instead of specifying the pieces of evidence that an agency can use to verify a visitor’s identity, the circular will describe the characteristics of good evidence.
“Over time, if other types of evi- dence emerge or existing types of evi- dence change, they can move between them by the way they innovate without
“WHEN THEY
LOOK AT DIGITAL AUTHENTICATION, I THINK THE GOVERNMENT REALLY NEEDS TO LOOK AT IT AS AN INVESTMENT IN INFRASTRUCTURE. RATHER THAN MAKING IT A REIMBURSED SHARED SERVICE, IT SHOULD JUST BE SOMETHING THE GOVERNMENT FUNDS.”
JENNIFER KERBER, GRANT THORNTON
us having to come back and point to it again,” he said.
GSA’s efforts are also encouraging, though not yet proven in practice. The Login.gov team is trying to learn from the Connect.gov experience, Garcia said, and the changes could represent real improvements if they work. “Our office was a big proponent of the Con- nect.gov approach,” he added. “There are some differences with the way Login.gov is currently implemented.”
According to 18F, Login.gov builds on groundwork that Connect.gov laid, along with NIST, the White House’s Cybersecurity National Action Plan and GSA’s Federal Acquisition Service. It uses a combination of public and private identifiers to create a single-
sign-on account for each user, adding multifactor authentication to enhance the basic password paradigm.
Importantly for privacy, Garcia said, the Login.gov approach relies on exist- ing commercial credentials to establish the user’s authentication but does not store the data.
“The government does not have to create a new account and manage your information. There is no warehouse of personal information,” he said. “We do prefer to see leveraging of commercial credentials as a matter of choice. We don’t have a problem with creating a government credential as well.”
According to a system of records notice that GSA published in the Fed- eral Register in August, Login.gov will ask only for information needed to pro- vide the appropriate level of security. For access to information that requires only Level of Assurance 1, the system will ask for a username, password and phone number. For LOA3, to gain access to more sensitive personal information, additional factors such as Social Security numbers and financial and credit information will be required.
Once the user has been authenti- cated, the system assigns a meaning- less, unique number to the data. The user can then be granted access to an agency website without providing the sensitive personal information again. GSA’s partner agencies have access to the personal information only with the visitor’s permission.
However, Login.gov might face a big hurdle that also tripped up Con- nect.gov.
“The business model is awfully dif- ficult,” Garcia said. With Connect.gov, “we think we really nailed the technol- ogy, and it was a massive improvement over agencies’ own solutions, but it was difficult to [develop] a cost-recov- ery model. You want the costs to be shared across agencies, but that’s hard to do. If you can get over that hump, that’s a huge gain.” n
28 November/December 2016 FCW.COM