The state is testing a new authentication system developed by NIST and LexisNexis that simplifies how people apply for benefits and other government services while saving taxpayer dollars. But privacy and civil rights advocates have concerns.
In 2015, government operates in a burgeoning market of new businesses that use smart software to undercut old institutions and simplify once complex tasks. Online identity verification — an outsourced service that ensures people are actually who they say they are — can eliminate . That’s why the state of Michigan is now piloting a new authentication service as part of a federally funded project that could one day change how everyone shakes hands with Uncle Sam.
Michigan isn’t the first in this arena, but the latest. Florida’s Department of Children and Families adopted an online authentication tool that The New York Times called “Your Online Driver’s License,” back in 2011, arousing contempt from privacy advocates and civil rights groups. Pennsylvania is developing a similar pilot project, and Michigan's Department of Human Services and the Department of Technology, Management and Budget are working with a $1.3 million grant from the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office at the National Institute of Standards and Technology (NIST).
Through a partnership with LexisNexis, which oversees the world’s largest repository of public records, Michigan is finding ways to streamline authentication and save money, a proposition that may prove enticing enough to attract the attention of other jurisdictions.
Michigan’s pilot system, which went live on Dec. 20, is simple. When a Michigan resident goes online to apply for benefits — like federal cash assistance, state cash assistance, food stamps, child day care or Medicaid — he is required to create a user name, password and personal identification number (PIN). He then provides basic identification information like his name, address, date of birth and Social Security number. Instead of completing the application and sending the information to the state for processing that would normally take days or weeks, authentication is achieved instantaneously by LexisNexis.
Monty Faidley, LexisNexis senior solution architect for health and human services, explained the process of authenticating a user happens in two steps. First, the basic information provided by the user is checked against his records to ensure they match a real person and that the user isn’t fabricating an identity. If a match is made, the user is then prompted with a series of authentication questions that only that person should know, like “What color was your first car?” That’s it. The person’s identity is authenticated, or not, constituting a faster and far less work-intensive process than what the state and its citizens are familiar with. The theory is that the state saves money and time and people get their benefits faster. Using the pilot authentication system is optional, and it’s still too early to grade the system’s success, Faidley said, but the company's authentication service has a good track record.
“The best measurement of the success of the tools, especially in this context, is probably the work we’ve done with the Florida Department of Children and Families (DCF),” he said. “They’re showing some very significant ROI.” LexisNexis estimated their identity analytics system has saved Florida DCF more than $36 million.
Saving money is a common motivator for government, but this project is more than just a one-time savings in one government agency — it’s a portent of how all American governments will complete tasks. Residents opting into the LexisNexis service don’t circumvent the state’s scrutiny — the information is still screened, but having LexisNexis authenticate users first reduces the work the state needs to do. A more confident government can also run faster, more convenient services for users.
By the time Michigan’s pilot ends in October, the state will better understand how online identity authentication and identity management can shape government’s future relationship with its citizens, Project Manager Cathy Fitch said.
“Our hope is that once we have worked out some of the bugs, that we will be able to continue on with this functionality and that it will also inform the larger enterprise identity management for the state of Michigan and also inform those processes for other states,” she said.
The state can analyze the data collected by the pilot system to identify possible cases of attempted fraud by seeing where people abandoned their applications or what kinds of questions stumped them, but because the pilot is now an optional tool, it does little to reduce the state’s already-low incidence of fraud. Michigan’s pilot is government’s proverbial dipping of the toe into the deep end of a comprehensive online identification schema.
Some skeptics say an online identification service is the start of a true driver’s license for the Internet, a government-issued document that would be required to use online services, exploited by politicians to discriminate against or track users. Those involved with NSTIC, like NIST's Jeremy Grant, insist that’s untrue, that the program was developed to experiment with what alternatives might exist to users keeping track of 100 user name and password sets — a more convenient, more secure, but privacy-minded identification system. Meanwhile, Electronic Frontier Foundation Staff Attorney and Identity Ecosystem Steering Group member Lee Tien said he’s not convinced of where the program is headed.
In Michigan, funding is limited until the end of the pilot, at which time the project’s merits will be evaluated to determine the extent of the program’s future. “We’re very lucky to have a third-party evaluator who’s going to help us continually look at the data we’re receiving, looking at the end-user experience and to refine the process, and so we will have a robust report on what works, what doesn’t, and how best to implement moving forward,” Fitch said.
“We are very hopeful that we will never have to turn this functionality off, and we are very hopeful that what we learn in the Department of Human Services informs how identity proofing and identity management will be done on a more enterprise scale," he added. "Most of our state departments have some public-facing interaction and many have public-facing online applications, so we’d really like to apply what we learn to that enterprise approach and also to be able to share with our other state partners — state government agencies who are looking to do the same.”