Team FIDO Alliance
The intersection of identity and authentication and how it can help to improve business as well as people’s lives was a core topic of conversation on the first day of the Identity, Authentication and the Road Ahead: Virtual Policy Forum event on Feb. 4.
The FIDO Alliance joined together with Better Identity Coalition and the ID Theft Resource Center (ITRC) to host the two day event running on Feb. 4-5, which has over 1,000 registered attendees who are gathering to learn more and discuss the current and future state of identity and authentication. The first day of the event had a strong focus on things the U.S. can and is doing to help improve the state identity, while recognizing the many challenges on the road ahead.
Identity is a National Security Issue
In the opening keynote, Michael Mosier (pictured), Deputy Director & Digital Innovation Officer at the U.S. Treasury departments Financial Crimes Enforcement Network (FinCEN), outlined what’s at stake when it comes to digital identity.
“I view identity as a national security issue, and it will take the intellectual power and creativity of all of us to figure out how to secure identities and keep people from harm,” Mosier said.
Mosier emphasized that digital identity solutions are a key factor to help prevent fraud and financial crime. He added that in order to get payments right, there is a clear need to first get identities done right. The right way in his view, is an approach that preserves privacy while ensuring integrity in the system.
“The ability to detect and address risks is only as good as the ability to determine with whom you’re engaging,” Mosier said. “So the real question for identity related risk is, do you have the information necessary to reliably assess the risk of your counterpart or your customer.”
A key challenge FinCen is seeing is at the account opening stage, with identity proofing and verification. A July 2020 advisory from FinCen highlighted the issue reporting that criminals are undermining identity verification processes, through identity theft and synthetic identity fraud.
“We’re seeing a lot of identity authentication compromise, leading to account takeovers, as a lack of multifactor and multi step authentication is too prevalent across the financial sector,” Mosier said.
The costs of those takeovers is far from trivial. FinCEN is seeing around 5,000 account takeover reports each month, reaching approximately $400 million per month over the last two months.
“The bottom line is that many account takeovers and fraud are occurring because of failures to enforce stronger levels of assurance and identity verification in authentication processes,” Mosier said.
Phishing is Top Source of Identity Theft and Cybercrime
The Identity Theft Resource Center (ITRC) is seeing the same trends as FinCEN with phishing and credential theft being the leading source of identity theft, according to the groups recent release 2020 Data Breach Report. In a keynote session, Eva Velasquez, President and CEO and James Lee, Chief Operating Officer (pictured) of the ITRC outlined the high level findings of the report and its impact.
“Credentials are the coin of the realm today, as opposed to what we have traditionally thought of as being the kind of information that threat actors wanted to collect.” Lee said.
While other failures and vulnerabilities including unpatched software can and do lead to data breaches, Lee emphasized that the majority of the root causes of cyberattacks rely primarily on user logins and passwords
How the Pandemic has Accelerated the Need for Strong Authentication
With tens of millions of Americans looking to the U.S. government for help during the pandemic, there has been a clear need for strong authentication and identity technology.
During a panel, Sanjay Gupta, chief technology officer for the US Small Business Administration (SBA) noted that the SBA has been able to ramp up during the pandemic thanks in part to the deployment of a strong authentication based single sign on technology that makes use of FIDO Alliance standards. The SBA uses the login.gov platform from the U.S Government’s General Service Administration (GSA).
In a keynote session, Congressman Bill Foster (D-IL) (pictured) stated that the COVID crisis has laid bare many of the inadequacies of the identity system in the U.S.
Just to pick one example, Foster noted that over a million stimulus checks were sent to dead people and for millions of others, the stimulus checks were delayed because of challenges in verifying who is eligible based on where they live. While there are challenges, Foster noted that there has also been a lot of relevant technological progress, independent of government action.
“The use of a secure enclave on a modern cell phone as a FIDO second factor device is a huge step forward,” Foster said. “The increasing use of privacy preserving biometric sensors on smartphones as a means of providing digital online authentication for human identity is going to be transformative.”
In a panel following the keynote on where the government can help with identity and authentication, Paul Rosenzweig, Resident Senior Fellow, Cybersecurity and Emerging Threat at the R Street Institute commented that good identity is clearly one of those common public goods that economic theory teaches us, is best provided at a governmental level. That’s an idea that panelist Phil Lam (pictured), Executive Director of Identity for the U.S. General Services Administration (GSA) agreed with.
“I think that we as a government are providing a lot of benefits to Americans today and in order to facilitate providing that benefit, we kind of need to know who you are and are you eligible for a benefit,” Lam said.
Lam re-iterated that the FIDO-enabled login.gov portal is a critical part of the U.S. government’s authentication strategy and now serves over 25 million users.
The final panel of the day tackled the socially important topic of equity and inclusion when it comes to identity and the individual. Among the panelists was Reverend Ben Roberts (pictured) who runs the ID Ministry, which is an effort to help the underprivileged get their identity so they can qualify for government assistance or even just to get a bank account.
Roberts detailed a number of heart-breaking cases of individuals that have had extreme challenges in getting some form of verified identity. He had a strong message for government policy makers and technology developers alike for how to enable strong authentication and identity systems.
“As we’re bringing things online and as new policies and new systems come into play, really do your level best to ensure that people are not getting left behind,” Roberts said.