Ditch Your Passwords -- US Gov To Issue Secure Online IDs
SecureKey, based in Toronto, today announced it has been awarded a contract by the USPS to provide a cloud-based authentication infrastructure.
Get ready for a new set of abbreviations -- this is part of some federal programs that have been underway for several years, mostly below the radar -- at least this is the first I have heard of it despite being an avid reader of tech publications. But apparently a lot of people have been working on this -- some of the relevant Web sites and information sources are listed below.
The Federal Cloud Credential Exchange (FCXX) is designed to enable individuals to securely access online services --such as health benefits, student loan information, and retirement benefit information--at multiple federal agencies without the need to use a different password or other digital identification for each service. The first federal agency to use it will be the Veterans Administration.
SecureKey already operates a trusted identity service in Canada. Andre Boysen, chief marketing officer for SecureKey Technologies, said that Canadians using identification keys provided by one of five participating Canadian banks, can connect with 120 government programs online with no additional user names or passwords for everything from benefits queries to fishing licenses. He compared the identification network concept to payment networks.
"Like payment networks, you have providers and subscribers, and it provides an easier way for consumers to get benefits." he said. "The challenge for governments is they can't authenticate because they can't see the users."
This is part of implementing President Obama's National Strategy for Trusted Identities in Cyberspace (NSTIC) and the federal government's policies and procedures under its Identity, Credential and Access Management (ICAM) program.
The identity gurus have an active organization and Web site at www.idecosystem.org which posted this note:
"The National Strategy for Trusted Identities in Cyberspace (NSTIC), signed by the President in April 2011, states, 'A secure cyberspace is critical to our prosperity.' This powerful declaration makes clear that securing cyberspace is absolutely essential to increasing the security and privacy of transactions conducted over the Internet. The Identity Ecosystem envisioned in the NSTIC is an online environment that will enable people to validate their identities securely, but with minimized disclosure of personal information when they are conducting transactions."
SecureKey said it was chosen by the USPS for its innovative federated authentication platform, SecureKey briidge.net Exchange. This cloud-based authentication and credential brokerage service is at the heart of the Federal credential program, enabling it to easily and cost-effectively broker user credential management capabilities instead of having to create and manage an authentication infrastructure robust enough to handle tens of millions of citizens by itself.
The cloud-based service follows federal guidelines to protect privacy, said SecureKey, although exactly what that means after the Snowden revelations is not clear. The credential exchange will be designed to transmit credential information securely without knowing users' actual identities. It will also limit the ability of third-party credential providers and the federal agencies relying on their credentials to track citizens' transactions among agencies.
The SecureKey program is designed to connect identity providers--such as banks, governments, healthcare organizations, and others--with consumers' favorite online services though a cloud-based broker service. The platform allows identity providers and online services to integrate once, reducing the integration and business complexity otherwise incurred in establishing many-to-many relationships. The company said it reduces credential management costs for online service providers, while removing user sign-up barriers, preserving user privacy, and providing convenience.
One agency that could see large benefits is the IRS. A study (http://www.nist.gov/director/planning/upload/report13-2.pdf) by the National Institute of Standards and Technology (NIST) estimated
Boysen said the IRS is a great example of the value of a single user credential usable across multiple agencies. Most people interact with the IRS just once a year, so remembering a user name and password would be difficult. Meanwhile the IRS estimates it loses $5 billion a year to fraud such as paying out rebates to stolen identities.
By using third-party authentication like SecureKey rather than developing its own program, the IRS would save $40 million to $111 million in adoption costs and another $2 million to $19 million in annual maintenance costs, the study estimates.
The study did not claim it would save the IRS from identity fraud but said it would make it much easier for the agency to identify citizens and exchange information with them without subjecting them to identity theft. Identity theft affected over 8 million Americans and cost over $30 billion, according to a 2011 Javelin study.
"Public and private sector organizations are spending billions of dollars trying to prevent unauthorized access to their IT systems and to mitigate the damage when unauthenticated access occurs."
The study said users are tired of all the requests for registration from Web sites. One report found that 77 percent of users change their behavior when asked to register online, with 60 percent leaving the site.
"Beyond being frustrating to internet users, this situation also represents a loss of business for companies."
The UAE has a similar program to develop secure IDs for its citizens. I wrote about it for Banking Technology magazine (http://www.bankingtech.com/142841/identity-and-mobile-figure-large-at-payments-and-cards-event/)after a conference in Dubai earlier this year.