Digital Identity and Authentication: What Should the Biden Administration Do?
Digital identity has become a pressing issue. The pandemic resulted in much greater use of digital channels and tools. It also exposed widespread identity theft, synthetic identity fraud, COVID relief fraud, and fraudulent unemployment claims, which made crystal clear the need to be able to trust in the digital identity of the people we interact with and transact with online.
Helping financial institutions and other organizations protect their customers’ digital identity and secure their digital transactions is central to our work at OneSpan. When the Better Identity Coalition invited me to join a panel to share my views at the Identity, Authentication, and the Road Ahead: Virtual Policy Forum, it was yet another indicator of how important this issue has become. Hosted by the Better Identity Coalition, FIDO Alliance, and ID Theft Resource Center (ITRC), this two-day event was well attended with over 1,000 registered and well timed as the Biden Administration and the 117th Congress are settling in.
Michael Mosier, Deputy Director and Digital Innovation Officer at the U.S. Treasury’s Financial Crimes Enforcement Network (FinCen) opened the policy forum with a keynote address that bluntly stated:
“Identity is a national security issue, and it will take the intellectual power and creativity of all of us to figure out how to secure identities and keep people from harm.”
I agree with Deputy Director Mosier. However, I would add that addressing digital identity should be treated as a national infrastructure project and policymakers should not take a piecemeal approach by trying to solve specific issues, like unemployment claims fraud, without properly addressing identity issues related to distance learning and healthcare, to name a few. They all require trusted digital identities.
While the pandemic and the economy are rightfully at the forefront of U.S. government policy initiatives, addressing the nation’s lack of a digital identity infrastructure has a direct impact on our recovery and is fundamental to the future economic health of the country. Many countries, including Australia, Canada, the European Union, and the United Kingdom are in various stages of deployment, while the U.S. lags behind.
Throughout the event, key elements of the Better Identity Coalition’s report, Better Identity in America: A Blueprint for Policymakers, were referenced. Highlights included prioritizing development of next-generation remote identity proofing and verification systems. There is a significant role here for federal and state government agencies, such as the Social Security Administration and the state Departments of Motor Vehicles (DMVs), to verify identity attributes when an individual is applying for a bank account, opening a utility account, or scheduling an initial telehealth appointment. This report also emphasizes the need to move away from passwords, and instead promote and prioritize strong authentication.
At the event, Congressman Bill Foster (D-IL) and John Katko (R-NY) provided keynotes and both noted that they are planning to reintroduce the bipartisan Improving Digital Identity Act in the coming weeks. There is also movement in the Senate to introduce a companion bill. During his remarks, Congressman Foster noted, “The COVID crisis just laid bare many of the inadequacies in the identity system in the United States, particularly as our economy becomes more reliant on the digital space in our efforts to combat the epidemic and in our ordinary lives.”
If adopted, the legislation will elevate digital identity to the highest levels of the Executive Branch, help make federal and state data available for identity verification and increase engagement with the private sector.
Identity and Authentication Panel Discussion
The panel I participated in, What the Biden Administration Should Do on Identity and Authentication, discussed the underlying issues and presented potential solutions that policymakers could act on. I was joined by Carole House, Sr. Cyber and Emerging Technology Policy Officer, U.S Department of the Treasury’s Financial Crimes Enforcement Network; Dorin Methfessel, Acting Director for Identity and Access Management, USPS; and John Miller, SVP of Policy and Sr. Counsel, Information Industry Technology Council (ITI). Ross Nodurft, of Venable, LLP served as moderator.
During our session, Dorin Methfessel discussed an exciting pilot program. The USPS has teamed up with the FBI to provide in-person identity proofing services at post offices for individuals applying for a U.S. Government security clearance, which requires a background check. The USPS digitally captures an individual’s fingerprints and securely transmits them to the FBI. This process has reduced the time for background checks from 12 weeks to 48 hours. The USPS is looking to expand this program within the FBI and potentially to other federal partners. While the program is used for background checks, it could be become a critical component in issuing digital identities and increasing financial inclusion.
I noted that a secure, trusted digital identity infrastructure can have massive and long-lasting benefits across the economy. It would improve access to digital services, both public and private.
People often think of roads and bridges when it comes to infrastructure. In 2021, infrastructure must also include making digital identity and broadband access available to all Americans. We should be cognizant of the miscues made during the creation of roads in the early 20th century. Many were developed by private companies, forcing motorists to pay tolls to access them. Not everyone could afford to drive on the new roads. That changed during the Eisenhower Administration with the construction of the nation’s interstate system and the advent of freeways, enabling anyone with a car to use them. The same holds true today. The digital economy must come with social equity. Barriers, such as affordability or user experience, should be removed to enable inclusion by as many people as possible.
Moving Forward with a Digital Identity Infrastructure
While significant challenges still need to be solved, some of the foundations have been laid already:
- The National Institute of Standards and Technology (NIST) is updating its Digital Identity Guidance (SP 800-63-3), which will benefit not only federal agencies, but also the private sector.
- The Office of Management and Budget issued memorandum 19-17, which updated and modernized the Federal Identity Credential and Access Management (FICAM) policy. The policy not only addresses federal employees, but also focuses on “improving digital Interactions with the American Public.”
- GSA’s login.gov provides secure and streamlined citizen login to government websites. However, limited adoption by agencies is symptomatic of some of the challenges and demonstrates the need for a leadership approach, ideally at the Executive Office of the President level.
- The National Strategy for Trusted Identities in Cyberspace (NSTIC) was implemented “to improve the privacy, security and convenience of sensitive online transactions through collaborative efforts with the private sector, advocacy groups, government agencies, and other organizations.”1
Most recently, President Biden’s American Rescue Plan included funding for cybersecurity via the Technology Modernization Fund and the GSA’s Technology Transformation Services (TTS). The latter is currently piloting identity attribute schemes with the USPS and the Department of State to verify, with consumer consent, current mailing address and passport data similar to the Social Security Administration’s electronic Consent Based Social Security Number Verification (eCBSV) Service.
At the time of writing, the $1.9 trillion American Rescue Plan was passed by the House of Representatives. However, funding the $10 billion request for “secure IT infrastructure” for the Cybersecurity and Security Agency (CISA), which included GSA’s Technology Transformation Services (TTS), was removed from the House bill during negotiations. Senate Democrats are currently working on the substitute amendment to the House bill that would restore a portion of the funding removed by the House.
The actions taken by the Senate Democrats may have been influenced by a multi-industry association letter to leaders in the House and Senate. In it, they urged that these initiatives be properly funded, specifically stating the need for “direct investment in cybersecurity shared services that government agencies and/or critical infrastructure owners and operators can leverage to bolster their defenses, such as for more robust digital identity infrastructure.” It is imperative to restore funding for the American Rescue Plan as it can address low-hanging fruit that could really start to move things forward.
A digital identity infrastructure will not be trusted without privacy and data protection legislation, as has already happened in other parts of the world. Giving people control over their information is key. Europe has been a leader in this space with the General Data Protection Regulation (GDPR) and the Electronic IDentification, Authentication and Trust Services (eIDAS) regulation moving forward, while Canada is currently alpha testing its Pan-Canadian Trust Framework with a scheduled launch in 2022.
Closing Thoughts on Digital Identity
Substantive success in digital identity services requires a concerted and sustained effort at the national level. However, any such effort will have limited success without clarity on privacy and citizens’ ability to control the use of their own data at the attribute level. With the Biden Administration’s focus on cybersecurity and identity being at the core, combined with the support of Congress and standards, we could finally be on the cusp of comprehensive digital identity infrastructure in the U.S.
Through our active participation in the Better Identity Coalition, the FIDO Alliance, the Digital Identity and Authentication Council of Canada (DIACC), teckUK, the Decentralized Identity Foundation, and the Electronic Signature and Records Association, OneSpan is at the forefront in the advancement and protection of digital identity ecosystems around the globe.