The intersection of identity and authentication is set to be very busy in 2022.
Over the course of two days from Jan. 24 – 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum with representatives from government and industry providing insight into the policies, challenges and opportunities for identity and authentication in 2022 and beyond.
Identity has always been important, and during the pandemic the gaps in identity verification capabilities were dramatically exposed in a number of ways. The challenges of identity in the pandemic were detailed in a keynote fireside chat with Susan Gibson, chair of the U.S. Pandemic Response Accountability Committee (PRAC) Identity Fraud Reduction & Redress Working Group, and Jeremy Grant, coordinator of the Better Identity Coalition. Gibson explained that the PRAC was formed by the U.S. Government with the goal of promoting transparency and facilitating coordinated oversight of the federal government’s pandemic response, which totaled some $5 trillion in aid.
Gibson noted that there have been many instances of pandemic aid fraud, due in no small part to weaknesses in identity verification and coordination. For example, she noted that a single social security number was used to claim unemployment insurance in 29 different states.
While identity fraud, with social security numbers and other means is common, Gibson emphasized that trying to stop identity thieves isn’t the only answer to the problem as the volume of personally identifiable information that is already out in the public domain is large.
“Really, we need to focus less on trying to fix the problem by stopping identity theft and focus more on: how do you get to the strong authentication, with a realization that the identity theft has already happened,” Gibson said.
Data breaches continue to happen
Identities are often at the root of data breaches, both as a root cause, as well as a consequence.
In a morning session, James Lee, Chief Operating Officer of the ID Theft Resource Center (ITRC), outlined some of the key data points from his organization’s 2021 End-of-Year Data Breach Report. Among the highlights is the fact that 2021 was the worst year ever for data breaches, with 1,862 incidents impacting 294 million victims.
Lee said that the top data attribute that is stolen in data breaches are names of users, followed by social security numbers. That said he noted that in fraud forums, stolen social security numbers are sold for $2 each. In contrast, logins and passwords associated with email accounts and in particular Gmail accounts are worth $80 each.
The first day of the event concluded with a pair of panels on different aspects of identities and authentication. In a panel on things the government is doing to co-ordinate and improve identity, Jason Lim, Branch Manager for Screening Technology Integration Program (STIP), TSA, Phil Lam Executive Director for Identity, U.S. General Services Administration, Tim Weiler Economic Policy Advisor & Legislative Counsel, U.S. Rep. Bill Foster, and Kate Wechsler, Executive Director, Consumer First Coalition, each detailed their views on what different agencies are doing.
Identity is also about access, which isn’t the same for all members of society. That was a key theme in the final panel of the day hosted by Eva Velasquez President and CEO, Identity Theft Resource Center (ITRC), alongside panelists Birdell Lewis, Senior Vice President, Centralized Shared Services, Synchrony; Pastor Ben Roberts, Foundry United Methodist Church; and Chris Peterson, Penny Forward and Community Member.
Day Two: The Future of Strong Authentication
In an opening keynote on the second day of the event, Eric Mill Senior Advisor, White House Office of Management and Budget (OMB) delivered a keynote that outlined the direction of strong authentication in the government.
Mill noted that in the fall of 2021, the OMB published a draft of its federal zero trust strategy, which defines having a defense against phishing as a key priority. Mills said that phishing is one of the most common ways that adversaries gain a foothold in an enterprise and the government wants to focus on having an order of magnitude better defense against that kind of attack.
“We are trying to create a clear baseline for civilian federal agencies around not using multifactor authentication methods that don’t resist phishing,” Mills said.
Mills noted that PIV, or Personal Identity Verification cards are commonly used in the government and they can be an effective phishing deterrent. He added that there is a need to have a broader approach with FIDO WebAuthn platform authenticators as well.
“We really expect to see PIV, FIDO and web based authenticators in commingled use throughout the federal government and other weaker methods in the context of phishing, discontinued,” Mills said.
The zero trust strategy was officially published the day following the conference and requires the use of phishing-resistant MFA, like FIDO Authentication.
FIDO Alliance’s efforts for strong authentication and identity
In a keynote, Andrew Shikiar, Executive Director of the FIDO Alliance, outlined the progress and initiatives that his organization has underway to help improve the state of strong authentication.
Shikiar emphasized that the imperative that FIDO is seeking to address is not just to be a checkbox item for multi-factor authentication (MFA), but rather to truly be a foundation to secure connected services that are critical to today’s networked society.
Shikiar predicted that 2022 will be the year that MFA attacks become mainstream. Having a phishing-resistant approach, which is what FIDO provides, is critical. The need for phishing-resistant MFA and strong authentication has been cited by multiple governments as a best practice.
“Passwords are part of our lives because they’re ubiquitous and they’re part of the web’s DNA,” Shikiar said. “Simply put, we need to supplant them, keep them out of that role and take their place.”
Barriers to MFA and the need for improved identity proofing
In a panel on how the government and industry are rethinking authentication, panelists provided insight into what holds adoption back and what needs to happen next.
Pam DIngle, Director of Identity Standards at Microsoft, commented that while there is awareness about the need for strong authentication and MFA there are several reasons why it isn’t always implemented. One type of organization that doesn’t deploy is where there are some sort of organization barriers to MFA.
“So customers come to us and say they know they need to do it right, but they have legacy technology or they have other reasons why they can’t adopt,” Dingle said. “For everyone else, I believe it’s on people’s lists.”
Christine Owen Director, Advanced Solutions, Cybersecurity at Guidehouse, commented that a challenge she sees with MFA deployment is on service accounts. Owen noted that adding MFA to those types of accounts is not always as easy as it should be. Grant Dasher from CISA noted in his organization’s view, identity is clearly the foundation of a zero trust architecture. Dasher added that the President’s Executive Order has committed the government on both civilian and national security sides to go in that direction.In fact CISA has referred to FIDO as the gold standard for authentication in its recent guidance.
Helping to ensure that a given identity is in fact authentic is the domain of identity proofing, that also helps with the initial verification of identity documentations and attributes. In an afternoon panel, Rae Rivera, Director of Certification Programs at the FIDO Alliance, outlined the ongoing efforts to create certification programs for identity proofing.
Brighton Haslett, Counsel in the U.S. House of Representatives, Committee on Financial Services, noted that it’s important that any new regulations in the identity proofing space need to be based on real information.
“I think the biggest threat in this space is any kind of legislation or regulation born out of misunderstanding and fear,” Haslett said. “I think when we see a rush to regulate a new technology, it’s usually an attempt to mitigate bad outcomes whether those are real or not.”
Strong Authentication, Identity and the Banking System
The need for strong authentication to help secure identity is of critical importance to the financial sector and its government regulators.
“If you look at so many of the things that bring risk to the financial sector in the United States they are all anchored on identity, ” commented Sultan Meghji, Chief Innovation Officer, FDIC.
Meghji’s views were echoed by Kay Turner, Senior Counselor to the Director, FinCEN Digital Identity, Inclusion, and Digital Payment Infrastructure. She noted that FinCEN’s role in the financial sector as the primary administrator of the Bank Secrecy Act and the U.S. financial intelligence unit, is to help prevent illicit finance, money laundering and related crimes like countering the financing of terrorism.
“Identity is at the heart of all financial services, and it’s core to trust,” Turner said. “So we recognize that the ability to assess risk is only as good as your ability to figure out with whom you’re engaging.”
Much of Turner’s sentiment were echoed in a keynote by Elizabeth Rosenberg Assistant Secretary for Terrorist Financing and Financial Crimes, at U.S. Treasury.
Rosenberg said that many of the critical problems plaguing the financial system stem from an inability to readily and reliably know who is dealing with whom.
“As a policy matter, digital ID has the potential to immediately and dramatically improve how we protect our national security and financial security,” Rosenberg said.
Looking beyond just being aware of the importance of strong authentication for identity, Rosenberg said that the U.S. Treasury is approaching 2022 as a year of action for digital ID.
“I don’t want us to be addressing the same problems when next year’s identity forum convenes,” Rosenberg said. “At least I don’t want to see the same problems happening as frequently to the same degree as they are right now and the Treasury is committed to making that happen.”
In the closing keynote, Carole House Director for Cybersecurity and Secure Digital Innovation, White House National Security Council (NSC), also noted that she sees identity as being critical to national security.
“Many cyber incidents that we’ve seen involve vectors of compromise that could have been thwarted through stronger identity and access management solutions, including implementation of multifactor authentication solutions,” House said.
