«

»

Simplifying User Authentication in the Government Sphere

The audience can be sparse in the last session of the last day of a three-day conference, but we were glad we stayed until the bitter end of AFCEA’s Homeland Security and Federal Identity Forum , held in Washington, DC in September 2017. For three days, we considered identity complexity from two opposite angles: uncovering hidden identities (e.g, criminals) and protecting online identities (e.g, citizens accessing government services).

Image of someone coding.The simplest improvement in identity protection has come in the form of NIST’s new password policy, published in June 2017 (NIST Special Publication 800-63B). Gone are the hard-to-recall, random lowercase/uppercase/number/special character combinations that must be changed every 90 days. Usher in the passphrase—easier to remember and much harder to break, especially with NIST’s recommendation to allow at least 64 characters and include spaces. “Steeler fans love an easy passphrase.” NIST also focuses on increasing multi-factor authentication, ideally by offering several options so user can pick the ones that suit them best.

It’s always interesting to hear from a Google insider. The second presenter spoke of Google’s transition to FIDO U2F security keys for their employees’ online access. You plug the key into your device, enter a user-identified password, touch a button and you’re in. At Google it reduced costs by eliminating maintenance issues and increased security by reducing outside attacks. The keys are an inexpensive investment for achieving multi-factor. They are cheap enough that each employee can have backup keys—backup plans are where many authentication policies weaken back to single factor. Could FIDO U2F keys be another approach for government agencies to implement multi-factor?  It harkens back to RSA tokens, but simplifies and updates the approach with open source technology.

We also heard from a vendor called ID.me, which designed a product that creates a digital identity for an individual meant to reduce the number of security holes where thieves and fraudsters can push in. They have integrated with a Veterans Administration (VA) website that provides citizen services, making it easier for people in far-flung locations and across many demographics to apply for and receive VA services. Login.gov is a shared identity service, created by the General Services Administration (GSA), available to government entities to incorporate into their public-facing systems. They provide code libraries for re-use to support quicker implementations, robust documentation for developers, and support SAML and Open ID Connect. It is currently being used at Customs and Border Patrol (CBP).

Simplification and user-focus came through as the central themes for user authentication modernization. How do we find new technologies to strengthen the fortress around our digital identities, brick by brick, one step ahead of those wielding the pickaxes? How do we make it easy for users to engage more seamlessly with our systems? Industry and government entities have recognized maintaining multiple accounts with hard to remember passwords is a stark weakness of our current mindset and have set about offering new ideas for the decade to come.