• United States



One trusted virtual ID per person when logging into government websites

Sep 17, 20145 mins
Data and Information SecurityMicrosoftSecurity

NSTIC wants users to have one virtual ID, a single username and password to rule them all by working as a trusted login identity across all government sites.

Although 2014 is the first year for the Global Identity Summit, which is currently in full swing in Tampa, you might recall the conference under a different name as it was formerly the Biometrics Consortium Conference. It was the main event of the U.S. government-sponsored Biometric Consortium, a consortium co-chaired by the NSA and NIST (National Institute of Standards and Technology) for the “research, development, testing, evaluation and application of biometric-based personal authentication technology.”

At the Global Identity Summit, Jeremy Grant, senior executive adviser for the National Strategy for Trusted Identities in Cyberspace (NSTIC), explained how “passwords are killing us.” And as a whole, netizens are pretty terrible about choosing and not reusing passwords. But is the answer a virtual ID, similar to a cross between “one password to rule them all,” and one Internet driver’s license per person that would work on government websites?

While discussing how much work still remains before verifying “identities online in a way that would allow for online voting and other government services,” Sean Kanuck, national intelligence officer for cyber issues at ODNI (Office of the Director of National Intelligence), talked about moving to “virtual IDs.” He added that there is a push “to ‘get to the point where identification confirmation can be flexible yet strong’ and to where virtual IDs will mature to the point of being legal personas.”

Regarding such a legal persona, a trusted virtual ID, NSTIC wants to make it so that “users will not have to release personal information or create new passwords to log on to multiple websites. A ‘trusted’ third-party — such as Verizon or PayPal — would register your personal information once to create a password, fingerprint scan or other account-login mechanism. Each time you wanted to sign in to H&R Block or another online vendor, for example, you would enter that same ID.”

NextGov added that the government’s portion of the trusted ecosystem will be called; it will be “a login screen for citizens that ultimately will pop up on every secured federal form and website, according to agency planners. The name of the new initiative has not been publicly announced. The tool, ultimately, will validate credentials from a variety of approved ID providers, such as Google.” Several other government agencies are expected to follow within 18 to 24 months, but the entire project will not be “fully realized until after 2020.” Oddly, “the U.S. Postal Service will operate the backbone of the tool — currently named the Federal Cloud Credential Exchange.”

Yet Grant, who believes “passwords are killing us,” also told Nextgov that the private sector is being called upon to develop it. “The government actually doesn’t have control here,” he said. “We’re not building any new system.” There are many questions left unanswered, one of the most important includes deciding who will be liable if – perhaps when – the system is compromised?

An online legal persona implies that user’s identity is completely trusted as belonging to the person logging in. If a browser saves the password/username combo, anyone could use it to sign in.

Duane Blackburn, Global Identity Summit conference co-chair and science and technology analyst at MITRE, summed up what identity is. “The first of these puzzle pieces are what make up biometric factors: your fingerprints, your irises, your facial features, your vein patterns and your voiceprint. Biographical identity factors tell more of the story: your name and your birth date. Contextual factors in a person’s identity are more nuanced and include amorphous details including education, residences, employers, relationships, financial data, media consumption, passwords and devices. Taken as a whole, these three pieces of identity add up to a person.”

Yet Signal Online said to “forget fingerprints” before listing numerous different biometric identification methods that help officials “track you.” Some examples include a tool that “combines facial recognition with a breathalyzer so that in addition to capturing blood alcohol content, the device can send a photo of the person to a repository website.” There’s technology that “converts sketches of suspects to retrieve photos of individuals. Facial recognition also is advancing to use only part of the face to make identifications.” Fingerprint biometrics may become yesterday’s news as there is work “advancing identifying finger veins.” Others believe “secure gesture authentication” is the future.

The article didn’t mention gait-recognizing cameras, currently installed in an Amsterdam airport, that are “designed to recognize certain ‘suspicious behaviors,’ such as running, waving your arms, or sweating.”

Cameras imply recording video, an increasingly important tool for the FBI. During a Global Identity Summit keynote by Amy Hess, the FBI’s executive assistant director for science and technology, said, “There is never such a thing as enough evidence.” And the old saying, “pics or didn’t happen,” is more along the lines for the FBI of “if it isn’t on video, it didn’t happen,” Hess said. Scott Swann, Special Assistant to Hess, also hammered home the importance of investigative video analytics by adding that “video will become a routine part of almost all daily investigations.”

It’s doubtful video will become a piece of the virtual ID which will act like a legal persona, but it’s unclear what will be required. If it’s nothing more than one username and password that works across all government sites, what happens when the system gets hacked?

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.