The future of credentialing in the U.S. government

The Defense Department CIO claims the DoD’s smart card will be replaced in the next two years by an agile, multi-factor authentication system

In June Defense Department CIO Terry Halvorsen told a conference crowd that the Common Access Card – the smart card that enables Defense employees to access computer networks and physical facilities – will be gone in the next two years.

It would be replaced with an “agile,” multi-factor authentication system. The cards would be replaced by “some combination of behavioral, probably biometric and maybe some personal data information that’s set from individual to individual.” The sole use of the smart card would be for physical access control.

There is no mistaking what Halvorsen said, and he double downed on the comments the following week. But others argue that the reality is much different and that the Common Access Card and the PIV used by other federal agencies aren’t going away. For that to happen HSPD-12, the directive signed by President George W. Bush calling for a standard and interoperable credential across all agencies, would have to be repealed, according to government sources.

There’s also a question of budget, says one government insider. It would take at least two years for any new type of authentication system to be properly funded. The other problem is that any behavioral, continuous biometric systems – such as the one Halvorsen mentions – would have to go through thorough, time consuming testing and certification before being used by federal agencies.

Halvorsen’s comments do allude to a changing future. While the federal government is unlikely to stop issuing smart cards anytime soon, there will be an increased focus on the use of other approaches to authentication, including derived credentials on mobile devices that can secure access to data and enable digital signing of emails.

But the smart card will persist, says one government official. Nothing can replace the security and convenience for use of smart cards in a desktop work environment. There is also a pricing leverage with the smart card. As it’s used for more applications – both physical and logical – the relative cost of the credential goes down.

The mobile device will play an increasingly prominent role in identity and authentication as the years pass, but it will take a culture shift to kill the card form factor, says Steve Howard, principal at Endeavor Blue LLC. “People are used to seeing the physical badge when you’re walking around,” he explains. “It’s so ingrained in people that it isn’t going away anytime soon and nothing can replace that.”

With conflicting opinions as to the smart card’s role in the government enterprise, we asked several identity experts to share thoughts on the future of identity and authentication in the federal government.

The Future of Identity

Mike Garcia and Paul Grassi, NSTIC NPO

The future of identity depends on use case. Here at the NSTIC offices, we focus primarily on consumer identity across a range of services, from low assurance/low risk to high assurance/high risk. We also dabble in government and enterprise identity, both just as important and flush with awesome possibilities as it relates to new innovations. But we’ll keep it succinct and let other experts cover the enterprise.

In many instances, high assurance/high risk transactions mean the relying party wants to know the actual carbon-based unit behind a digital identity. This is often quite legitimate, but should not be the default when an affirmed attribute would suffice for delivering the service.

We see the following as the new normal:

Bring your own

This isn’t completely new to the identity industry, but we can’t emphasize enough how important it is. Market driven, innovative technologies that users can pick based on their likes and risk tolerance is what we want and where we believe the market is headed.

Organizations, in and out of government, need to get out of the business of issuance and into the business of acceptance. There is less customer friction here – I definitely don’t want another username, password, AND second factor. This also results in cheaper operational and compliance costs for the organizations that embrace this approach. This will only get more attractive to consumers as smart organizations build usability into their solutions without sacrificing security.

Attributes, not identity

The digital economy needs validated attributes, and doesn’t need to validate them over and over again as consumers move from service to service. We also don’t need to share everything about ourselves to make a purchase or apply for a benefit or service. Pseudonymous identity should cut it so long as verified and validated attributes ride along with that pseudonym.

Claims, not attributes

As an extension of that, the use of attributes rather than full identity will shrink to attribute claims, or partial or derived release of an attribute value. The classic example of this is having an attribute provider assert “age >= 21” rather than “birth date = January 1, 1950”. Again, service delivery may not depend on a full date of birth, so why ask for it?

We’re doing our part in shifting to this model in draft 800-63C. Section 6.4 addresses protecting information and levies the following requirements onto relying parties and credential service providers: “The relying party shall, where feasible, request attribute claims rather than full attribute values. The credential service provider shall support attribute claims.”

User centricity

We were just talking in the office about how we don’t emphasize this aspect of the NSTIC nearly enough. User centricity has two components, with one building off the other.

Users will have more control of their information. They will still be asked to provide information to obtain a service or benefit, but they will be able to challenge a relying party that they are asking for too much.

Today, if a relying party asks for too much, the user either gives the data away or you don’t get the online service. In the future, the user can digitally communicate that “my full birthdate is beyond the need of this service, but I’m willing to tell you my age or maybe just that I am older than the minimum required age.”

So long as the information is enough to fulfill the transaction, it should go forward. The relying party will be able to pivot from its original request, and work with the information granted by the user to provide the service. Today if you don’t consent to release the specifically requested attribute, you’re dead in the water – dropping off the service is your only option. In the future, options will exist.

The second component is how this information will be supplied. Our digital wallets, on a mobile phone or other device, will contain digital attributes and identity. The relying party will go to the user to obtain the data necessary for a transaction. A direct connection to an attribute provider or broker will no longer exist. The data will be validated and cryptographically protected so the user can’t tamper with attributes that have been validated by others, for example that they’ve obtained a degree from a particular university, but he or she will control, when, where, and to whom it goes. And he or she will be able to pull it back when they want.

Self-destructing data, not data proliferation

Speaking of pulling data back, attribute information will ride along with metadata. Organizations may not interrogate any or all of the metadata, but if it doesn’t exist, the organization will throw it out or accept accountability – and the potential negative impact – of handling unlabeled data.

The data will also know what its usage rules are, as set by the user or authoritative organization, a process with which the user could also be involved. So even if an organization ignores the metadata, the data itself will know when it’s being misused and will “poof!”… disappear.

And on another thread altogether, reputation

Identity proofing remains the stickiest wicket in the world of online identity. And traditional methods, even with innovation, may not capture the desired percentage of the target population. So reputational services, web of trusts, biometrics, social vouching, and “digital documentation” such as mobile driver licenses and other digital form factors for those that don’t or can’t get traditional breeder documents, may all be part of the proofing ceremony.

Risk-based authentication isn’t enough

Todd Thiemann, VP of Marketing, Nok Nok Labs

As the U.S. Federal Government considers moving beyond Common Access Cards and Personal Identity Verification cards to embrace biometrics and behavioral biometrics, one can expect to see a focus on standards around two-factor authentication that enable the government to leverage innovation in the private sector, while maintaining adequate security.

There will need to be baseline requirements for hardware devices to provide some root of trust to secure cryptographic material, as well as biometric data on the device, such as a Trusted Execution Environment (TEE) or Secure Element (SE). It also means not only providing secure operating environments for sensitive authentication operations, but also the ability to prove the veracity of that operating environment to a remote system.

While behavioral biometrics may play a role in securing identities in the future, particularly by supplementing authentication and countering fraud, the U.S. government will find that it is not a substitute for good primary authentication. Explicit user consent cannot be achieved unless the user takes a specific action like entering a PIN or taking some biometric action.

Behavioral techniques offer benefits in combination with other signals like device and network information – IP, hardware and the software being used – that can be accumulated over time. They, however, lack the immediate unique characteristics provided by physiological biometrics that measure physical characteristics.

Think about the difference between a fingerprint – a physiological biometric – and keystrokes – a behavioral biometric. Even if you combine a bunch of behaviors into a composite “identity,” it wouldn’t be able to be used immediately like a fingerprint. Composite identities take more time to create because they require learning the behavior.

While risk/fraud signal analysis holds promise, the government needs to consider the veracity of such signals. Much of the current focus on risk-based authentication or contextual authentication is based on evaluating the device, the device’s location and health, and the pattern of user behavior.

But some of those signals are essentially untrusted and unverifiable. Is the user’s device really at that location? Is the device really intact? The government has to counteract clever and well-resourced nation-state actors.

While today’s risk-based authentication solutions may be good enough to thwart the current generation of attacks, attackers will gradually learn to mimic the “right” behavior and feed false signals. For risk-based authentication to be successful in the long term, the signals themselves will need to be rooted in hardware.