We’re on the edge of a digital government revolution this year, if we can just get the identity layer on the internet right. I think I could have written that sentence over and over again in the past decade, but in 2015, there are good reasons to think that genuine change will come to pass.
Authenticating someone’s identity at a high level of certainty is key to completing many high-risk transactions, online or off. Without doing so, online banking wouldn’t work.
Establishing the required infrastructure has proven enough of a headache, however, that in the US, many federal, state, and local government agencies still are not offering transactions, services, or access to data with a high level of risk.
“The trouble is that one of the single biggest barriers to online service is account creation,” said Jeremy Grant, senior executive advisor for identity management at the National Institute of Standards and Technology and the head of the NSTIC National Program Office. “Every federal agency has got two or three services that should be online today but if you can’t confirm someone is who they are, it won’t work.”
There was at least one notable exception to this state of affairs at the beginning of 2014, when the IRS enabled Americans to download their tax transcripts over the internet. Over 17 million people did just that over the course of last year, reducing offline requests by 40% in the process. Every one of those people had to create an account in a process that closely resembled onboarding at a bank website, from establishing a username and password to choosing answers to questions about personal histories. In doing so, all of those millions of people added another set of credentials to the ever-growing list of usernames and passwords that accompany working and living online today. I wish us all luck in keeping them safe, secure, and memorable.
As I wrote last year in a column on identity, many people in (and out of) the security industry have been saying that the username/password mechanism is broken and insecure.
What currently looks most likely to replace it, albeit slowly, is multi-factor authentication and the use of existing trusted identities to log in to services. Anyone who has used Facebook, Google, or Twitter when they join a new app or service is already familiar with this metaphor for logging in without creating a new account. In 2015, it’s set to become even more well-known after the executive order focused upon improving the security of consumer financial transactions was issued by President Barack Obama in October 2014.
In Section 3 of the order, on “Securing Federal Transactions Online,” the president directed the National Security Staff, the White House Office of Science and Technology Policy, and Office of Management and Budget to present a plan “consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace [NSTIC], to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
This plan was to outline a strategy for using multi-factor authentication to make government data available to citizens was due within 90 days of the order, which should mean that it’s already made it on the president’s desk in the Oval Office or it’s headed there shortly. If President Barack Obama signs off on it, technology will start coming online that will enable four federal agencies to move forward with providing meaningful digital government services this year, from passport renewal to personal health record access.
Connecting Connect.gov to identity
While the executive order may not mandate Connect.gov explicitly, the infrastructure that the placeholder site represents is closely aligned with the goals in it, according to Grant.
“If you’re sharing data, you must leverage multi-factor authentication bound to identity-proofing,” he said. “From an electronic government perspective, this is where I get most excited. It’s one thing to say you’re providing better security, but when you get identity right, it’s the great enabler. You can bring all kinds of services online you couldn’t before.”
The approach that the US and the UK are pursuing to provide trusted access is federated identity, where governments validate providers of identity that people can choose to use to access services and data.
When a user visits a government website or web service that’s plugged in to Connect.gov, they’ll see a list of identity choices, each associated with higher levels of assurance. Currently, Verizon, Symantec, and ID.me are the only firms that have been approved for Federal Identity, Credential and Access Management (FICAM) Level of Assurance (LOA) 3.
“FICAM LOA 3” is geekspeak for the ability of the parties to authenticate the identity of the parties online. It signifies a high assurance of someone’s identity. Without such assurances, a service provider can’t confirm whether you’re a dog or a human on the internet. With it, you can get access to your data, like a tax transcript, health insurance application, or personal health record.
Why ID.me is about much more than veteran discounts
ID.me, a McLean, Viriginia-based startup, won a contract to provide identity software for Connect.gov in late 2014. The Postal Service will operate the brokerage that the identity credentials go through at Connect.gov, while the website will be managed by the General Services Administration.
“If you need to access medical records, there is virtually no tolerance for errors,” said Matt Thompson, the chief operating officer and cofounder of ID.me, in an interview. “We give the user the ability to port their identity across different agencies. That means not having to manage multiple user names and passwords: it’s the same id, and we’re the trust layer.”
When ID.me started out as Troopswap, the founders were focused on getting veterans discounts, not unlike Groupon. (Both Thompson and Blake Hall, the CEO, were Army Rangers and served tours in Iraq.) It turned out a bigger play existed in verifying veteran identities online, which the startup will now do across the federal government: ID.me has raised $7.5 million in venture capital based upon that promise.
“ID.me is really a wallet, and sub-affinities, like TroopID or StudentID, are within that wallet,” said Hall, in an interview. “We think of ourselves in the context of American Express and what they did with the payment world. We can act as the identity for providers and directly issue the credential.”
By the end of 2015, more veterans should be able to do exactly that, downloading their personal data online. Hall expects their mobile devices to be the dominant method for multi-factor authentication, with a SMS, notification, or a pin validating a login.
Over the long term, Hall thinks that the identity space will follow a similar evolution as the payment space has.
“The top five banks represent 80% of American consumers, with networks like Visa, MC, AMEX, and providing value,” he told me. “Merchants accept those kinds of cards, because those networks represent standards, trusts, and procedures. Identity looks a lot like the banks, so how do you unlock that, and make identities that are portable, integrated into organizations that want to consume identities?”
His big bet is that as ID.me continues to add reliant parties, they will create a medium through which consumers and citizens can use the credentials they already have elsewhere, in the same way they used credit cards when Americard was the only option.
This baseline is part of the relative position of the US in providing digital services. Hall connected the status quo to broader problems that exist with respect to the government’s ability to execute on programs, an issue that was thrown into sharp relief with the launch of HealthCare.gov.
“We actually view the existing ecosystem as creating an opportunity,” he said.
“If the government chooses to compete, it would be a terrible outcome. This is relevant to how transparent and accountable government is. In my experience, legislation has been passed but hasn’t been executed. I was watching John Oliver on bringing interpreters back from Iraq recently. The government didn’t execute. So who’s holding them accountable? For whatever reason, corruption or bureaucratic bloat, in many ways government is broken.
Silicon Valley has funded a ton of companies focused on monetizing data for advertising. They have focused on getting data to advertisers to keep services free. The way we’ve entered the market, our model is that if consumers lose trust in us, we die.
If we don’t flip this market, we will fail as a business. Consumers should have the right to disclose their identity to a reliant party only if they choose. If we fail, we’d lose certification through FICAM and Kantara. Fundamentally, we’d lose.”
Hall doesn’t think people will prefer to use identity credential for trusted banking, tax or medical transactions from tech companies that have advertising-based business models.
“Our standard is capable of sending tokens through SAML 2.0, OpenID Connect, or OAuth,” said Hall, “but SAML 2.0 is currently the only one allowed. There’s a technology layer within the exchange of tokens that’s meant to prevent the provider from seeing which agencies you’re accessing. You don’t want Facebook seeing you go to different agencies and log in to the SNAP program and then serving up things in your Facebook feed related to that. This separation of visibility is like a hallway with a door on either side. When you pick a key, the identity provider knows the citizen went into the broker, but that’s all: they’re blind to what happens next.”
A tipping point for trusted identities?
None of this means that anonymity will be going away online quite yet, nor that it should, or that social networks won’t still play a core role in this ecosystem for online identity. It’s just that if someone wants to complete a higher-risk transaction with the government, using a social network account like Facebook Connect or Google may no longer be the preferred option as an intermediary for some people.
“Everyone has a privacy preference curve,” said Hall. “If you want to be known, you should be able to do so in an easy, efficient way online. In the private sector and in the public sector, no one has been able to get reliant parties to come to the table until now.”
Grant described the status quo in the market for identity online and the potential impact of the US government creating a marketplace to provide credentials for accessing personal data and services.
“There has never been a shortage of firms interested in issuing identity solutions. What’s been in short supply have been companies willing to accept them. One reason we have focused so much on Connect.gov is that we’ve heard from a lot of private sector partners that what you’re saying makes sense but hasn’t been done before. If government can do it with its own applications, it assures the market that this is something that can be trusted — a lot of organizations don’t want to be first. ID.me, in particular, has had really good success signing up online service providers.”
In the long run, succeeding in this federated approach could end up mattering to more than veterans or passport holders.
“This is infrastructure that touches literally everyone on the internet,” said Grant. “The number one complaint I hear is that ‘I have all of these passwords and can’t remember them.’ So, how do you build an identity layer that makes things better? How do you get better tools into people’s hands? You make sure they are security and privacy-enhancing. Identity is central to everything. We’re trying to drive services in the cloud and release the power of big data without the associated harms.”
One question that’s come up again and again about NSTIC when I’ve talked with people about it over years is what role the federal government should have in the marketplace for identity providers. After all, federal agencies like the U.S. Postal Service, Internal Revenue Service, and Social Security Administration “know” quite clearly who citizens are, to say nothing of law enforcement and intelligence agencies.
Across the Atlantic, Estonia has been lauded as the “world’s most tech-savvy government,” with a personal electronic ID that enables every one of its 1.3 million inhabitants to use advanced digital services. As I wrote last year, in my column on online identity, most European countries are pursuing national identity cards. India is rolling out a universal identity program, providing a 12 digit Aadhaar number to hundreds of millions of people that can be verified through a fingerprint and text message. The United States, however, has a long history of privacy and civil liberties advocates across the ideological spectrum opposing a national ID card.
“I think Americans want choice,” said Thompson, when asked whether multiple providers of identity for accessing government services makes sense. “We always want choice in what we do. It’s inherent in our culture. The important thing here is giving the users choice and enhancing privacy as well.”
Hall, for his part, said that Estonia is an exception, and that while it looks super-efficient from the outside looking in, concerns about surveillance in the US mean a similar approach wouldn’t work here.
“People don’t trust government,” he said. “While Social Security has this information by definition, with de facto identity registration, if the government delivered the service, it might be adequate but it wouldn’t be a great user experience. If you set up an ecosystem that enables choice, you’ll get a better outcome. There is something that’s inherently American about the way we take on risk. If you look at Europe or Japan, the stigma for failure is much different than in the USA.”
Down the road, Grant says it’s likely that at least one government entity will be an option for the public to select as an identity provider for a given service, but that many agencies don’t want to be in that business.
“This comes up a lot,” he said. “NSTIC goes well beyond government services. When it comes to private sector transactions, some firms would like to have government standing behind credentials. NSTIC envisions that this identity ecosystem will be led by the private sector but doesn’t rule out government playing a role. Multiple agencies have credential systems, and if they follow standards, they should be interoperable. A couple of them are having those conversations. Conversely, some are asking why should we be in the identity business at all.”
If Uncle Sam can enable citizens to use a trusted single identity credential to be used across multiple agencies, it would ease a lot of headaches people currently encounter online. Memories of the difficulties millions of Americans faced trying to create new accounts on HealthCare.gov in the fall of 2013 no doubt linger nationally.
“Let’s say I’m a vet back from Afghanistan for a couple years, and a student, and a taxpayer,” he said. “Right now, to do a high-risk transaction, I have to get a different credential from the VA, IRS, and Social Security.”
Government efficiency and cost savings needs also support establishing a trusted identity that can be used to access data and services across multiple agencies.
“It’s not affordable to government to keep issuing credentials,” said Grant. “Why should government pay vendors four different times over the year to issue them to the same person? My forecast is that in a few years, you’ll see a very vibrant marketplace. It may be mobile providers, it may be government, it may be startups. If they are using the right standards, suddenly we will have this new market of interoperable credentials.”
Grant said that the Department of Veterans Affairs and the State Department have “pretty good commitments” to adopting NSTIC this year.
“11 months from now, we should be able to show how a single credential can be used by a citizen to renew a passport online without visiting an office,” he said. “That’s never been available online before because identity has never been solved.”