FCCX update, the power of federation, Wells Fargo issuing CIV credentials
The User Centric ID Live and Smart Card Alliance’s Smart Cards in Government Conference covered a lot of ground in Washington DC last week despite the government shutdown.
Attendees received an update on the National Strategy for Trusted Identities in Cyberspace, including pilots funded in 2012 and those recently awarded in September. For one of the newly-awarded smart card-based pilots, Exponent will be teaming with Gemalto and HID Global to help secure applications and networks for the U.S. Department of Defense, a social media company and a health care organization, by deploying ID verification using mobile devices and wearable devices, for example rings, bracelets.
According to Exponent, the solutions will ensure an interoperable system that can be easily adopted by a wide variety of organizations and companies; additional details will be shared in the next six months.
Doug Glair, the manager of digital partnerships and alliances at the United States Postal Service spoke on the Federal Cloud Credential Exchange (FCCX). The goal of the pilot is to streamline and reduce costs and complexities of digital authentication between individuals and government services.
The pilot will demonstrate that citizens can use existing user names and passwords for different government service they access. The system will be live in the first quarter of 2014 with the U.S. Department of Veteran’s Affairs and add an agency each month after. The USPS is working with SecureKey Technologies to provide the infrastructure to allow trusted third parties to participate.
Other sessions focused on the need for more secure online identity credentials for consumers beyond usernames and passwords, and several top enterprises are taking the lead.
“Doing identity well is not trivial,” George Fletcher, the chief architect of identity services at AOL told attendees, speaking on the company’s experiences as a relying party. According to Fletcher, identity federation for authentication works, if it uses open standards and is implemented requiring re-authentication – challenge and response — before users make purchases. Some of the challenges that relying parties, such as AOL, face when consumers use federated credentials to establish their identity is a lack of control over the user experience, customer service and account recovery.
Enterprises are taking the lead from the government and are implementing standards-based, secure and interoperable credentials for logical and physical access.
Wells Fargo, for example, is issuing Commercial Identity Verification (CIV) credentials that leverage the PIV-I specifications, technology and data model without cross certifying to the Federal infrastructure, to employees. The benefit of using the CIV model, according to Brian Keltner of Wells Fargo, is that it requires compliance with technical standards but allows for local policies, provides a secure, unified and interoperable platform across multiple locations, and gives them the option to use the many already-certified products in the marketplace.
Conference health care track presenters discussed the lack of streamlined and secure processes to accurately verify patient identities and match them to correct medical records, often cited as a major reason for the growth of medical identity theft and fraud in the U.S. Medical identity theft and fraud may accounts for $75 billion in excess costs a year, according to Bill Barr of the Medical Identity Fraud Alliance. The problem is that only 15% of people are aware of medical identity fraud.
Kelli Emerick, executive director of the SecureID Coalition, pointed to the fact that while the U.S. has lead the way in some identity management, such as PIV and e-passport, it’s behind when it comes to citizen credentialing.
“Government can’t afford to administer public programs without knowing who people are and if they are eligible to participate,” Emerick said. The U.S. needs education for policy makers about the benefits to consumers and privacy protection that strong identity management provides.
The U.S. government is taking a step toward stronger identity management in the Medicare program through the Medicare Common Access Card Act of 2013 (H.R. 3024), which would establish a pilot program to develop a secure Medicare card using smart card technology to protect seniors’ personal information, prevent fraud and speed payment to doctors and hospitals.