What the cybersecurity executive order means for authentication
How this may work for citizens
17 October, 2014
category: Corporate, Digital ID, Government
President Barack Obama signed an executive order on cybersecurity that aims to protect consumers from identity theft. It requires federal agencies to issue and accept EMV payment cards and take extra precautions online when protecting citizens’ personal information. The focus of the announcement was on the move to EMV and the more secure chip and PIN technology. But, event more significantly, a short section of the executive order focused on a move to more secure authentication by government agencies.
It reads:
“Sec. 3. Securing Federal Transactions Online. To help ensure that sensitive data are shared only with the appropriate person or people, within 90 days of the date of this order, the National Security Council staff, the Office of Science and Technology Policy, and OMB shall present to the President a plan, consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace, to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate. Within 18 months of the date of this order, relevant agencies shall complete any required implementation steps set forth in the plan prepared pursuant to this section.”
The wording is vague and lacks concrete examples of how and why such a multi-factor authentication system might be necessary. Government officials were not able to give examples because they were waiting the 90 days for the guidance to be released. But the Avisian office decided to predict scenarios of how this system is likely to rollout.
Citizens who use Medicaid, Social Security or other government sites to access personal information will select a username and password, then be required to undergo some sort of knowledge-based authentication. This would include a series of out-of-wallet questions – select a street you once lived on, pick the value that closely resembles your mortgage amount, etc. — used to remotely prove they are who they claim to be. They will also have to provide a mobile number or other communication medium to receive a one-time passcode that will be used when they access those sites in the future.
When accessing this or other federal sites in the future, the citizen will enter the username and password, but then be required to enter a one time passcode. This numeric code will be sent to the enrolled mobile phone number – or other preset landline or email — via text message or other means.
To further peer into a crystal ball, all of this functionality is likely to be included into the Federal Cloud Credential Exchange (FCCX). This system will enable citizens to use credentials they already have – everything from social media logins to federally issued PIV cards – to access federal sites.
I’m predicting that FCCX will include enable stepped-up authentication for those citizens accessing personal information. They will use whatever credential they already have, Facebook for example, go through knowledge-based authentication and then receive a one-time passcode for use when accessing federal sites that provide personal information.
The groundwork for these systems is being put in place; it’s just a matter of making it work. Some people may scoff at only using this for access to federal sites, as many people don’t access them often. But it’s a matter of getting people use to using these types of authentication systems.
People in their 20s and 30s may be comfortable with the idea of receiving a code on their phone for access, but others are not. It’s likely that consumer enterprises will begin rolling these types of systems out to consumers in order to better protect resources and having them used by the federal government is a step toward educating the public.
EMV is grabbing the headlines in this announcement, but the impact this Executive Order will have on authentication and online identity could fundamentally change how we access information.