Authentication plays an increasingly important role in how governments are providing services around the world.
At the Authenticate Virtual Summit on Sept. 23, 2021, users, experts and vendors from around the world detailed how strong authentication helps to enable government services and new efforts to secure online identities. Users including the U.K. National Health Service (NHS), as well as the U.S. Government’s login.gov and Internal Revenue Service (IRS) provided insights into the present and future of online authentication and digital identities.
In the opening session of the event, Andrew Shikiar, executive director and CMO of the FIDO Alliance, outlined the strategic imperative for FIDO in government services around the world.
“COVID-19 created an imperative to really accelerate digital transformation activities,” Shikiar said. “When the pandemic hit all of a sudden, everyone was at home and all activity brought requirements for modern authentication schemes that go far beyond passwords, even beyond traditional multi-factor authentication.”
Shikiar noted that the FIDO Alliance standards align very well with global regulations and policies and there is a growing trend of government guidance for authentication that cites the use of FIDO.
“It’s important to enable trust in the government ecosystem,” Shikiar said. “This comes through the engagement FIDO does with different regulators and government bodies and ultimately will be manifested through the secure implementation of digital identity services to citizens worldwide.”
Technology Helping to Push FIDO Strong Authentication Forward
A key path for enabling FIDO specification is via vendors that support government efforts.
Patrick Sullivan, CTO of security strategy at Akamai, commented that password credential stuffing attacks are very common. He noted that Akamai’s platform sees as many as a billion password attacks per day. That’s where multi-factor authentication and more specifically strong authentication based on FIDO Alliance standards play a strong role. Sullivan noted that there is a clear need to provide multi-factor authentication in a low friction environment where it’s delivered in the form factor of an app on a smartphone.
“We’re not asking users to carry around a hardware token to accomplish FIDO2 as we move in that direction, and by introducing less friction, there’s less risk of our users doing something anomalous,” Sullivan said.
Jeff Frederick, manager of solutions engineering at Yubico, noted during his session that in government, many agencies in the U.S use Common Access Card (CAC)/Personal Identity Verification (PIV) credentials that go beyond basic passwords. Frederick noted that FIDO2 standards, which are supported on his company’s YubiKey device, provide a strong impersonation resistant authentication protocol that uses public private key cryptography.
“It’s very similar to PIV/CAC and FIDO2 is an open standard that’s managed by the FIDO Alliance, so that any vendor can support this and use it today,” Frederick said. “It’s built into all major operating systems and all major browsers so there’s no middleware that you need to install to make this work and it’s just an easy to implement solution that will modernize the federal authentication infrastructure across the board.”
Making Identity and Authentication Less Taxing at the IRS
The IRS proofs and authorizes tens of millions of taxpayers every year, across both digital and non digital channels, according to Courtney Rasey, assistant to the director, Identity Assurance, Privacy Governmental Liaison, & Disclosure (PGLD) at the IRS.
“None of those tens of millions of taxpayers who are calling the IRS are doing so just because they want to, it’s not really a fun weeknight activity,” she said. “They need to resolve an issue to meet their tax obligation and we know that, so we’re always striving to provide better service to taxpayers, to help them get the service that they need in the most convenient and efficient way possible.”
One way the IRS is looking to be more convenient to taxpayers is with its Secure Access Digital Identity (SADI) platform that was launched in June of 2021. Rasey explained that SADI leverages a Credential Service {rovider (CSP) that identity proofs the taxpayer and then provides the IRS with a digital identity credential.
“Users are eventually going to be able to access all IRS online applications utilizing that single digital identity credential,” Rasey said. “The IRS is moving more and more applications behind SADI throughout fiscal year 2022 and as we do move more applications taxpayers are going to be able to do so many things with just one credential.”
Moving Toward Zero Trust with Strong Authentication
In May, President Biden signed Executive Order 1402, which directs U.S. government agencies to improve cybersecurity. One of the primary provisions of the executive order is to move the federal government toward a zero trust architecture.
“When we talk about zero trust, we’re talking about an architecture where people and their devices aren’t trusted just by virtue of being inside an organization’s enterprise network,” explained Eric Mill, senior advisor, Office of Management and Budget (OMB).
Mill noted that in a zero trust model, people and devices are validated at each step and authentication is context-aware. The OMB is strongly encouraging the adoption of phishing resistant multi-factor authentication, with FIDO WebAuthn as a good alternative option in environments where CAC/PIV isn’t feasible.
“We’re pushing very hard on multi-factor authentication and we really view reliable authentication as a critical foundation of zero trust architecture,” Mill said.
In a Policy Deep Dive session, Jeremy Grant, managing director, technology business strategy at Venable, noted that there are a number of reasons why authentication is important to governments.
Grant said that FIDO specifications can help governments to protect access to their own assets and can help to enable more high-value citizen facing services to the public.
“I think what we’re seeing in 2021, is a really different environment across the globe, where FIDO authentication is emerging, not just as another permitted option, but in many cases as a preferred choice of governments across the world,” Grant said.
How the National Health Service (NHS) uses FIDO
Among the areas in the world where FIDO is finding a home is in the U.K.
The National Health Service (NHS) is the publicly funded medical and healthcare system in the U.K. and it has embraced FIDO standards to help improve human health. With the NHS Login service, citizens get a centralized identity for health services while the NHS app provides a simplified application for accessing and managing an individual’s access to health services.
Priyanka Mittal, technical architect for the NHS Login and NHS app, said that over the past 18 months there has been a 10-fold increase in the user base for NHS login as demand has grown during the pandemic.
Sean Devlin, tech lead for the NHS App, explained that initially the services started out using an SMS based two-factor authentication approach, but wanted to find a more seamless approach. NHS decided to use FIDO UAF and built out its own implementation, using eBay’s open source FIDO implementation as a starting point.
Devlin said that before using FIDO, users had to navigate as many as five different screens to get through a multi-factor authentication flow. With FIDO, it’s a single screen.
The NHS has also saved a lot of money by moving to FIDO. With over 500,000 FIDO logins per day, Devlin estimates that the NHS is saving on the order of £8,000 per day on SMS messaging costs.
Bringing FIDO Strong Authentication to Login.gov
FIDO specifications also play a pivotal role at login.gov, which is a single sign-on platform for U.S. government services.
Jonathan Hooper, login.gov Engineering Lead at the General Services Administration (GSA), explained that the authentication portal fronts over 200 sites across the U.S. government, spread across 27 different agencies. Hooper explained that starting in 2018, login.gov began expanding the use of multi-factor authentication, including the WebAuthn specification.
“We don’t want to be ‘big brother,’ we want to make sure that we can protect users’ privacy and the things built into the protocol that helped to do that were very attractive to us,” Hooper said. “WebAuthn is also very cheap, it is much cheaper to do a WebAuthn authentication event than it is to do SMS by several orders of magnitude.”
Improving Digital Identity with FIDO
A FIDO-based approach for digital identity could soon be finding its way to Canada as well according to Joni Brennan, president, Digital ID & Authentication Council of Canada (DIACC). An effort currently underway is the Pan Canadian Trust Framework (PCTF) which is an information assurance framework.
“We think that there’s a great opportunity here to leverage an information assurance framework, coupled with FIDO Alliance driven specifications, to create and to verify that end to end experience that’s needed for digital ID adoption,” she said.
The need for secured digital identities was also highlighted by Amit Mital, special assistant to the President and senior director, National Security Council at the White House.
“Today, when we authenticate ourselves and identify ourselves, we might use one of dozens of popular systems,” Mital said. “
So the ecosystem itself is very decentralized, and it’s very unharmonized. It is also fundamentally unsecure.”
Mital said that there is a clear need for strong remote identity solutions that can provide easy, secure, affordable and reliable ways to identify consumers across digital systems.
“It’s clear that there are a diverse and large number of scenarios that need digital identity and there is no single entity that can solve all these scenarios,” Mital said. “We need an ecosystem that brings together the best ideas and innovation from the private sector, both large companies and startups, as well as the government at both the federal and the state, the local, tribal and territorial lands.”
Wrapping up the day’s event, Andrew Shikiar, executive director of the FIDO Alliance, observed that there are a lot of conversations ongoing about different types of government services and their dependency on secure digital identity.
“Ultimately, identity and authentication are core to deploy new services at scale, in a way that meets the requirements for government agencies, and for citizens alike,” Shikiar said.
The webcast is now available on demand. To watch the recording, visit the event page.
For more discussions on moving past passwords to modern strong authentication, attend Authenticate 2021 on October 18-20, 2021 in Seattle or virtually. The full agenda and details to register are available at authenticatecon.com.
