Federal Agencies Consider Identity Platforms
The government is translating physical forms of ID for a digital world.
The federal government, building on existing identity management practices, is investigating how it can leverage passports and other state and federally issued ID cards to verify identity in the digital age. The need to validate a citizen’s identity in person and online is only going to grow across platforms, experts say. And absent a secure commercial solution, the government may have to provide verification of identity.
“We find ourselves now in kind of an identity pivot point,” says Matthew Scholl, division chief, Computer Security, National Institute of Standards and Technology (NIST). Referring to federal identification known as the common access card (CAC), Scholl questions how the card could be applied to identity management in the digital realm. CACs or other forms of ID can be verified immediately when presented in person, he says. And the access those cards provide can be suspended or easily revoked. However, the cards exist for the physical world.
“But more and more in an online world, this is not how we operate,” Scholl cautions. “The smartphone is how we operate now and how we are going to operate going forward, and it doesn’t work with credentials. These [CACs] are nice, with the hardware and a cryptographic token behind it, but are these the identity credentials that we need for our future? Probably not.”
Comprehensive identity management is essential, given “the dispersion of how we interface with electronics via voice and data interfaces, [electronic] wearables and integrated reality situations,” he considers. “How do we couple all of these different pieces of identity that we leave around, which identify us as unique, in order to have a strong credential—potentially as strong as this CAC card—that we can use in all of these new environments in the future?”
As such, NIST is examining “a much larger life cycle of identity,” Scholl says. And in doing so, the agency is looking at crosscutting identity platforms and technologies. “This is important for health care. It is important for the digital economy. It is important for our way of communicating,” he states.
The division chief also advises that identification management “isn’t just about people anymore.” It also should apply to technology. “That is the other thing that we need to get a better handle on,” Scholl says. “We need a better identity mechanism for devices, sensors, processes, software and applications that are spun up and dropped out in virtual environments. There are more sensors generating data now than there are people generating data.”
He offers that a “strong, verifiable form of identity would not only be bound to a person but would also be bound to the device and to the processes and software that will be acting on our behalf. These are the things we are thinking of at NIST going forward.”
As for a pie-in-the-sky scenario, Scholl shares that “it would be nice if we had a nationally acceptable, interoperable, strong credentialing mechanism that was supported in a viable commercial market for everyone to use. That would be a lovely thing.”
Neville Pattinson, senior vice president of federal government sales at Gemalto Inc. in Austin, Texas, a consultant on federal ID matters, observes that the solution could harness existing forms of ID. “People have state driver’s licenses, and 100 million Americans have passports. The passport does have a chip in it, so it is an electronic credential. So we have two government-issued ID’s to begin with,” he says.
And because these are great credentials that are not too complicated and in the market already, the government wants to use these forms of ID instead of coming up with something new, Pattinson notes. The government is looking at how to employ mobile phones in the process. “What we are finding now is that we can take a picture of this credential [such as a passport] with the camera on the phone, and we can send it off to our service, and then we can verify that it’s a genuine document,” he says. “We can see that it hasn’t been tampered with, is still valid, still in service, so we can do an online verification to prove it’s an authentic document. So that is the first part.”
Then, to verify the identity of the person presenting the credential, the government can use biometrics to compare a photo from the document with a photo of the person presenting the ID. “We ask a user to take a selfie with the phone and compare the face to the document and see a biometric match within less than a second,” Pattinson explains.
The government also is working to develop a digital driver’s license, which would not be used to replace the traditional driver’s license, Pattinson stresses. “It will be adding digital abilities to the ID,” he notes.
Biometric facial mapping is the key to all these capabilities, Pattinson adds. “It’s a future of ‘How do we leverage what we’ve got?’ And I’m convinced that we will be adding biometrics, certainly around the facial photo. We’ve just been performing tests at the Department of Homeland Security’s Maryland test facility, successfully testing facial recognition of people boarding planes and matching people very quickly. So biometrics will be part of the credentialing system in the future,” he says.
Meanwhile, on the health care front, identity management will be used to improve how patients receive their health information, says Steve Posnack, executive director, Office of the National Coordinator for Health Information Technology, U.S. Department of Health and Human Services (HHS). Posnack shares that the government’s efforts related to health care ID could affect 300 million patients across the United States.
One HHS focus is to provide patients with electronic access to health information. “When you need a second opinion, you need to get that data from your health care providers,” Posnack states. “You have the legal right to ask for a copy of that data. But how you get it, though, is still challenging. Most of the time it is printed, and you have to pay for it. We are working to promote policies that will incentivize electronic access to your health information.”
Posnack’s office also is developing a so-called trusted exchange, as required by the 21st Century Cures Act of 2016. The exchange would aid patients as they go between different health care providers, Posnack says. “For example, if you go skiing in Lake Tahoe, and you hurt yourself and you are from New York, you would think that today your doctor would be able to use the Internet and look up your records from your health care provider in New York,” he explains. “But it is not quite that simple. Often, it is a lot of phone calls and a lot of faxing, as faxing is the default. So our charge under the 21st Century Cures Act is to help some of the burgeoning networks that exist today to connect on a national scale.” The office is working to authenticate the identity of health care providers wanting to access protected health information.
At the same time, the HHS is negotiating the burgeoning ecosystem of health-related applications. For example, Apple Inc. in Cupertino, California, has been making some advances that are affecting patient identity management and access to health care data, Posnack notes. “With iOS 11.3, the company has released a new health records application that can connect to certain hospitals [currently about 500], which will allow you to sign into your patient portal to get your health information and download that onto your iPhone,” he says.
Apple has taken this a step further by giving third-party applications access to that downloaded health information encrypted and stored on an iPhone through a health records applications program interface called HealthKit. “So you start to see an ecosystem where it is understanding who the patient is and their identity, and understanding who the providers are,” Posnack observes. The tools must verify identity so patients and providers “are not being spoofed.”
When breaking ground with digital identity management practices, officials should work on engagement, advises Tony Brown, senior consultant and subject matter expert at Vienna, Virginia-based BRTRC Inc. BRTRC is working with the biometrics offices of the FBI, the U.S. Defense Department and the U.S. Department of Homeland Security on how they can collaborate across the federal space with industry and academia.
“The real issues here aren’t technology issues,” he says. “It is great to hear about what is happening on the technology front, and the advances have been amazing. And truly the things that we thought would be a fantasy back in 2002 are now realities. But the issues and the challenges more often than not are societal. [They] are people issues, policy, winning hearts and minds, and getting people on the same page. They are governance issues. It really comes down to engaging across the bureaucracy.”
Brown and the other experts shared their observations at AFCEA’s Federal Identity meetup event in June at the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence in Rockville, Maryland.
For information on the upcoming Federal Identity Forum and Exposition taking place in Tampa September 25-27, visit the event website.