The digital ID industry is devoting an immense amount of effort and capital to protecting digital identities as data breaches and privacy concerns continue to make headlines on a regular basis. Data breaches’ stakes are sky high for corporations, meaning ID security is even more important to the United States federal government. Any lapse in governmental security could have much farther-reaching effects.
Securing digital identities on a federal level falls under the purview of the National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. The agency has recently been devoting considerable resources to expand its digital ID best practices to the private sector.
PYMNTS spoke with David Temoshok, senior policy advisor for the Trusted Identities Group at NIST, about how the agency’s best practices for digital ID security can be applied to private businesses, as well as areas where corporations and the government have been lacking.
The National Strategy for Trusted Identities in Cyberspace
NIST has been responsible for federal digital ID security for many years, but its collaboration with the private sector kicked into high gear in 2011, when President Barack Obama created the National Strategy for Trusted Identities in Cyberspace (NSTIC) — an initiative to improve the security and privacy of online transactions. The U.S. Department of Commerce established the National Program Office (NPO), led by NIST, to implement the program and collaborate with the private sector on tighter digital ID security.
“NSTIC called out the national need to eliminate PINs and passwords as single authentication factors and to use multifactor authentication for stronger [verification],” Temoshok explained. “It was built around four guiding principles: That identity management should be privacy-enhancing, secure, interoperable, cost-effective and easy to use.”
According to NIST Special Publication 800-63-3, the best multifactor authentication systems are built around three major cornerstones: Something known (for example, a password), something possessed (an ID badge or key) and a biometric authenticator (a fingerprint or similar data). Providing two of the three is typically sufficient to securely verify identities.
Applying government ID security practices to the private sector
Secure digital identities are a top priority for both corporations and government entities, but their security approaches are not identical.
“The biggest difference is that the federal government has very low tolerance for risk,” Temoshok explained. “[The] private [sector] has much greater flexibility for risk acceptance. They can build in fees, insurance, allocate risks and other means for much greater risk acceptance that are just not acceptable in the federal government.”
NIST’s standards are very much applicable to private corporations, many of which worked closely with the agency to develop the NSTIC guidelines. NIST is also a member of the FIDO Alliance, an association of businesses that develops non-password-based authentication solutions.
“While all of the standards in the Special Publication 800 documents are mandatory for the federal government, they’re … voluntary for industry, [but] we see many of those standards adopted by industry,” Temoshok noted.
One of the standards to which he drew particular attention was the requirement that digital ID security be easy to use.
“Usability and security go hand in hand. Increasing security so that it’s an inconvenience to users doesn’t mean that those security tools are going to be used,” he said. “It’s going to mean they’re going to be short-circuited. People will go around them, whether that’s password composition rules or multifactor authentication.”
Security still lacks in some areas
Convenience can go too far, however, resulting in lackluster ID security in both the government and private sectors. Temoshok pointed out two major ID security vulnerabilities that are still prevalent, the first of which is knowledge-based questions.
“We still see knowledge-based questions being used for authentication, as well as for identity proofing purposes. … That’s not allowed under [Special Publication 800-63-3] at all,” he said. “The reason for this is that, due to data breaches, the information that can be the basis for knowledge-based questions is pretty much publicly available.”
The Government Accountability Office (GAO), the supreme audit institution of the United States, agrees with Temoshok. GAO issued a report last month calling for six federal agencies to strengthen their online verification procedures, adding that identifiable data obtained by Equifax, Experian and TransUnion should not be used for knowledge-based verification purposes. Such information was made available on the darknet during the 2017 Equifax breach.
Of the six agencies named in the report, only the General Services Administration (GSA) and the Internal Revenue Service (IRS) have phased out knowledge-based verification methods. The Social Security Administration (SSA) and United States Postal Service (USPS) are currently planning to reduce its usage, while the Centers for Medicare and Medicaid Services (CMS) have no plans to eliminate knowledge-based verification, citing cost as the preventing factor.
“It’s distressing to us that, in the GAO report, agencies are still using knowledge-based verification for authentication purposes [when] it’s clearly vulnerable,” Temoshok said.
The second major security vulnerability is PIN-and-password-based authentication systems.
“They’re just plain vulnerable,” he said. “Eighty percent of [data] breaches have been due to PIN-and-password compromise … [That’s why] the NSTIC program had it as a guiding principle to eliminate PIN-and-password use as single factors.”
Passwords and knowledge-based questions are still the most prevalent means to securing digital identities, but these vulnerabilities continue to be exposed, and data breaches show no signs of slowing down.