This well-written article in Forbes does a credible job of describing our current state of identity and authentication as implemented by the federal government. It also suggests a road forward that would be based on existing multifactor authentication methodologies.
I’d suggest our government needs to start testing new technologies, such as Self Sovereign Identity, and determine what its role will be in that new environment. Mastercard has deployed this new identity management as pilots in Madagascar and Australia.
It should also be pointed out that One Time Passwords (OTP) via SMS were identified as insecure by NIST. I’d also argue that while not all smartphones are secure, the level of security improves every year.
Most new smartphones, properly provisioned with a security application that implements multifactor authentication and includes traditional biometrics and behavioral biometrics, can certainly be used to secure my assets — even if that probably shouldn’t be used to protect the Treasurer of a Fortune 1000 company.
Our government needs an identity plan that recognizes and leverages where technology will be in 10 years, and that should include consideration for quantum computing hacks:
“I believe the answer is in a multilayer, multifactor approach. Government agencies should consider implementing, at a minimum, a two-factor verification process. Most common to consumers is a cellphone-based SMS push notification in which the user receives a code via text message to enter at the point of login.
Single sign-on (SSO) is also a reliable approach that can help prevent the friction that gets between authorized users and data. Public-facing sites and applications can make use of these same techniques to make it easier for private citizens to access services across government. Agencies can also look at cloud-based SSO tools to lower risk and, again, reduce the friction that layers of security can add to transactions.
True authentication can go much further, connecting online behavior patterns and activity with automated, AI-based tools that can provide real-time analysis of hundreds of elements. geolocation, device ID, IP addresses, profiles generated from publicly available records, biometrics and behavioral information.
Government agencies must train staff to be vigilant about their own behaviors, such as not clicking on links in scam emails and locking their devices. They also need to be trained in how to identify and respond to suspicious activity among the people they’re serving, and how to distinguish between individual cases of fraud versus mass fraud that must be elevated to the special investigations unit. Training needs to be backed by ongoing reinforcement to remind internal users of the threats, the risks, and the ways things can go very wrong, or right.
Of course, newer technologies, training programs and additional security personnel have to be budgeted, and this can mean a long planning cycle. That’s why a strategic plan is needed to help shepherd these programs through the approval process. Meanwhile, agencies can make incremental changes to get closer to their digital identity management goals.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group