States are tightening verification, the feds are funding pilots and privacy advocates are worried.
Government is raising its expectations. Officials who aim to be good stewards of public dollars are looking for tools to identify money wasted by fraud, mismanagement or inefficiency. New technologies are preventing such waste and initiating cultural change in the public sector. At the Florida Department of Children and Families (DCF), that transformation is being realized through the adoption of an online authentication tool the agency uses to ensure that the benefits it issues, like food assistance, are going to the right people.
Various incarnations of online authentication technology are sprouting up in state government agencies around the country, led by a White House vision for a new, central form of identification that some are calling “a driver’s license for the Internet.”
The DCF reported that in 2013 it saved about $14.7 million through the use of an online authentication tool, with an initial investment of about $1 million and a total contract of just under $3 million. The tool and subscription service was purchased from LexisNexis and operates similarly to systems used by financial institutions to verify the identity of loan applicants. Now when people apply for various assistance programs online, they are prompted with identity verification questions about their previous employers or the names of streets where they lived.
The DCF says the technology is saving so much money because it cuts the amount of staff time spent verifying identities manually, and even better, there’s been a reduction in cases of identity fraud.
The agency began implementing online services a few years ago, said Andrew McClenahan, director of the Office of Public Benefits Integrity at DCF. The move transformed how the state deals with public assistance fraud, he said. “Fraud is no longer considered a cost of doing business. These modernizations — data analysis and predictive modeling and now this customer authentication tool that works with identity verification — are all realities that we as a state and other states are having to face, and I think it’s here to stay.”
The shift away from authenticating people in person began two years ago when the state started centralizing its physical offices to one per county. That change, McClenahan said, prompted more online usage, but also introduced a new problem: The state had no reliable way of verifying identity online and the result was a lot of waste — wasted time and wasted benefits issued to illegitimate applicants. So the agency piloted the current system in Orlando, and in August 2013, the system was spread throughout the state.
It was important to get away from the old model, McClenahan said, and it’s easy to see why. Government assistance programs have struggled with fraud and abuse for years. In 2007, federal officials randomly visited 1,600 businesses in Miami that had billed for “durable medical equipment” and found that 481 of those businesses didn’t even exist, accounting for $237 million of fraud in just one year.
In 2012, the attorney general announced that the Medicare Fraud Strike Force had arrested more than 100 people, including doctors, nurses and other health professionals, accounting for more than $452 million in fraud across seven cities.
These instances of fraud, enabled for decades by a lack of government oversight or technological wherewithal, have cost taxpayers untold sums. In 2013, the Government Accountability Office released a report in which it identified $44 billion in “improper payments” nationally for the previous year.
In 2011, the White House started looking at the issue differently when it released the National Strategy for Trusted Identities in Cyberspace (NSTIC). The program outlines a framework for an online identity verification system that would attempt to reduce fraud, while creating a convenient way for Internet users to prove their identity, without the need to remember passwords. The New York Times called it “a driver’s license for the Internet.” Even better, the White House reported that such a system would improve the Web economy by bolstering public confidence in security and authentication of online businesses and services.
In fall 2013, the National Institute of Standards and Technology (NIST), the agency overseeing the program, awarded $1.3 million and $1.1 million in pilot funding to Michigan and Pennsylvania, respectively. Rather than develop entirely new systems or even some form of comprehensive Internetwide identification system, the implementations in each state look at how existing systems can be used to simplify authentication across departments. These pilots are just the beginning — NIST is awarding pilot funding to 10 additional organizations, which will be announced in August.
Pennsylvania is developing an implementation that will allow users to operate a single identity across state departments, rather than requiring users to manage user names and passwords for each department, which is the case today. In a pilot scheduled to run from this spring through September, Deloitte will bridge various departments and agencies, each of which would require varying levels of authentication on behalf of the user, according to news reports. For example, if a user only wants a fishing license, he could simply authenticate his identity at a low level, but if he later wanted to use that same online ID for welfare benefits, he would need to raise the authentication level by providing more information in order to access those services. But he would only need one set of credentials to access any state service.
In a pilot scheduled to run from May to September, Michigan will use the funding to establish an online authentication system for residents who use its MI Bridges portal to access services like food and cash assistance programs, the same kinds of services for which Florida developed its authentication system.
Identity verification for MI Bridges is done manually today using several different methods. For that reason, there’s little fraud in that program, according to an agency spokesperson. However, reducing the work needed to verify the identity of an online user could save the agency money.
Like the Florida DCF system, Michigan’s system asks users various questions similar to those posed by online applications for a mortgage or loan.
The success of the NSTIC pilots will be determined by analysis conducted by nonprofit RTI International, funded with $300,000 from NIST. The organization will compare the efficacy of the new system to the old manual processes of identity verification. If the pilots are successful, they could end up being the first step toward a single set of standardized credentials that Internet users provide to prove who they are.
A single ID that can be used across the entire Internet is an idea that has been talked about for a long time, and since the 1980s, the technology world has known that the password model is inadequate, said technology analyst Rob Enderle. A single set of credentials that could be used to verify identity would be far superior to what’s used today, he said, and the NSTIC would lead the Internet toward that goal.
This isn’t just a good idea, Enderle said, it’s a necessity. “If you can’t create a method to ensure a person is who they say they are, then you really can’t secure bank accounts, identities, anything that’s done on the Web,” he said. “Moving to something else would seem to be decades overdue.”
Though the White House created the program to begin research around such a system, the government is generally not good at developing these kinds of technologies or working within a fast timeframe, Enderle said — a successful technology like this needs to come from the private sector.
“It has to be driven by the market. Remember, we were supposed to be on the metric standard decades ago and we aren’t,” he said. “There have to be some penalties involved for not doing it. I think after a couple major breaches where the liability is passed to the organization that didn’t properly assure the identities of the people that were accessing it, that motivation will probably drop into place.”
The technology for strengthening online identity verification is available, said Gartner analyst Avivah Litan, it’s just a matter of getting the market properly aligned. “The main issue is you have to get identity providers standing behind it and backing up the identities, and you have to solve the business model,” Litan said. “In other words, if they get the identity wrong, who’s liable? It’s a great concept, but it hasn’t taken place because no one’s willing to be the identity provider or issue the identity. It’s not a technology issue, it’s a business issue.”
Proposed legislation in the United Kingdom shows that the market is demanding better authentication online, not just to curtail fraud, but also to restrict access to certain content. The proposed law would require that websites hosting adult content take better measures of authenticating age than just using the honor system. In the U.S., the Children’s Online Privacy Protection Act requires websites hosting adult content to require the user to enter an adult’s age before proceeding, a standard that websites in other countries also have adopted. But the problem is that it simply doesn’t keep young users out. A quick lie is all that’s needed to proceed. The thinking behind the UK legislation is that the rules that apply offline should also apply online.
Not everyone thinks a driver’s license for the Internet is a great idea. Lee Tien, senior staff attorney with the Electronic Frontier Foundation, serves on the NIST-supported Identity Ecosystem Steering Group, which is made up of private-sector representatives charged with finding alternatives to using passwords online. Even so, Tien questions whether the government’s main motivation with such a program is in fact fraud prevention — and not tracking.
“We think it’s a terrible idea,” Tien said. “The main substantive issue is that much of what we do on the Internet is plain old speech: writing comments, posting on blogs or whatever. And one of the things about speech in the United States, especially under the First Amendment of the Constitution, is that you have a right to speak anonymously. The EFF has long believed that it’s really important to preserve and protect that right to speak anonymously on the Internet. Any mandatory type of ID online runs really directly counter to that.”
Even a voluntary online ID could be problematic, Tien said. If the ID became popular, it could still become a de facto requirement that people would need to access a variety of services, and the result, again, would be loss of privacy and anonymity. The thing that’s unclear about such a solution, he said, is how this form of authentication would prevent various types of fraud in a way that other methods cannot.
“One of the great things about modern cryptography is that if it’s implemented well, you can have highly secure transactions, and you can have cryptographic proof for verification as to whether or not a person is or isn’t who they represent themselves to be in a mathematically secure manner,” he said. “A lot of times the issue is not fraud. The issue for government is that they want to track, regardless of fraud.” License to Surf?
Jeremy Grant of NIST leads the NSTIC program office. He’s charged with translating the abstract White House document outlining the idea into a real program. Grant said there’s a lot of misinformation circulating about NSTIC, starting with this concept of a driver’s license for the Internet. The term “driver’s license” is only useful if people are thinking of the document as an optional authentication tool, not as a permit to do something, he said.
The objective of the program is not to create a government-run identity scheme, Grant said, but rather to create an “identity ecosystem,” described as a “marketplace of solutions where all of us should be able to choose within a few years from a variety of different identity solutions that we can use online in lieu of the password-based systems that dominate today.” The goal? Online experiences with more security, more convenience and more privacy than password-based systems.
In 2004, Bill Gates predicted the death of the password. The problem is not that passwords are dying, Grant said — it’s that they’re still alive. Citing Verizon’s Data Breach Investigations Report, Grant said that 76 percent of private-sector data breaches in 2012 were caused by passwords. “These numbers show that the password is killing us. One way to view NSTIC is as an aspirational document that essentially says the world would be a better place if we weren’t tied to passwords and we had an easy way to prove online who we were, control what information about ourselves is collected and aggregated, and play more of a role in how that information is shared.”
Analysts say industry leadership is needed to drive the market away from passwords and toward these types of solutions, a sentiment Grant agreed with, but he admitted that getting companies to participate can be difficult. “There are some companies that say, ‘It’s a little too early stage for us. We’re going to wait until we see a little bit more happen before we jump in.’”
But the first signs of the marketplace driving change are already popping up. NIST has been working with the Fast Identity Online (FIDO) Alliance, an organization dedicated to creating better online authentication. Samsung’s Galaxy S5 has a fingerprint sensor that can be used to conduct payments via PayPal without the use of a password, and does so in accordance with FIDO authentication standards, a first for mobile devices. These are the types of advances they hope to drive forward, Grant said.