Page 55 - FCW, Nov/Dec 2017
P. 55
The future of identity management
The holy grail is creating services that are secure yet seamless for the user and save money for the agency on the back end. As one participant put it: “It’s all about the user experience. We’re trying to make sure that from start to nish they feel like they’ve gotten a good experience and a safe experi- ence interacting with our agency.”
But achieving that frictionless expe- rience for the public has proven to be a challenge because, as one executive put it, “People will give up to Facebook in a heartbeat what they would never give up to the government.”
A participant told the story of visit- ing his daughter at college and discov- ering the depth of the students’ animos- ity toward the college’s requirement for two-factor authentication. “Her friends said, ‘It stinks. We’ve got to log in twice to download our stuff.’ They’re willing to give out all of their information to everybody, and security doesn’t even seem like it’s a factor. Asking them to secure something was like, ‘Whoa, why would we do this?’ It was really a shock to me.”
“That sounds like a classic usability scenario to me,” another participant said. “I bet if you asked her if she minds using her ngerprint on her phone, she’s not going to say a word because it’s a better-designed approach. Now with facial recognition coming on these devices, it looks even more interesting from a usability perspective.”
Another participant said meeting the demand for secure, seamless access involves having the right level of secu- rity for the time and place.
“It’s ultimately about context,” he said. “Who is that person, what’s their device, what do we know about it? Where are they coming from, what are they doing, how does that match their pattern? And how do we use all that data in near-real time to make a decision on the risk of this particular transaction and do it in a seamless fash- ion? This is what identity management
has to be focused on now.”
Another colleague agreed, say-
ing: “The irony is that millennials are using a PIV card every day because the mobile devices have become more capable and sport these features and capabilities baked into the user experi- ence. These devices or other mecha- nisms that become part of the iden- tity chain are unobtrusive, invisible, yet present. They themselves have an identity.”
Many participants said they were looking forward to the General Ser- vices Administration’s login.gov shared service as a way to make cre- dentialing initiatives interoperable. One noted that the government had unsuccessfully tried to shift the bur- den to third-party credential provid- ers in the past.
Unfortunately, “the credential pro- viders that everyone uses — Facebook and Google — didn’t meet the govern- ment’s standards, and the ones that did meet the standards no one had ever heard of or used,” he said. “So that z-
zled out, and now we’re back to what seems like a government-centric login. gov approach.”
He predicted that the next step will be incorporating users’ existing mobile device credentials issued by any trust- worthy party. “That’s where it’s going to go, but we can’t invent it. We can cooperate in moving it forward.”
In response to some concerns about the government’s ability to manage cre- dentialing in a seamless way, another participant said, “To login.gov’s credit, they do care a lot about the friction- less experience and the usability of the solution. They are addressing that in a way that maybe some of the previous initiatives didn’t.”
In the end, one executive said, “you cannot overstate the importance of that friction in preventing doing the right thing. Now that we are moving out of biometrics to the place where your authentication is you versus something that represents you, I think we’re going to see a huge upswing in better identity management.” n
PERSPECTIVES
Participants
John Boyd
Assistant Director, Futures Identity, Of ce of Biometric Identity Management, National Protection and Programs Directorate, Department of Homeland Security
James Byrne
Cyber Architect, U.S. House of Representatives
Thomas McCarty
Director, Identity Services, Department of Homeland Security
Brian Rehard
Division Chief, Customer Access and Communications Division, Defense Technology Information Center, Department of Defense
Dominic Sale
Deputy Associate Administrator, Of ce of Information, Integrity and Access, Of ce of Governmentwide Policy, General Services Administration
Charles Seymour
DOD PKI Manager, Of ce of the CIO, Department of Defense
Jim Sheire
Director of the Federal Identity, Credential and Access Management Program, General Services Administration
Steve White
Chief Security Of cer, ForgeRock
Note: FCW Editor-in-ChiefTroy K. Schneider led the roundtable discussion. The Oct. 12 gathering was underwritten by ForgeRock, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither ForgeRock nor any of the roundtable participants had input beyond their Oct. 12 comments.
November/December 2017
FCW.COM 33