New US Digital Identity Legislation Promises More Secure Verification
The COVID-19 pandemic has forced us to socially distance and do whatever we can digitally and remotely. For IT professionals, the pandemic likely brought a lot of unplanned headaches and long hours to ensure their organizations could remain securely operational while supporting a nearly 100% remote workforce.
The pandemic has also revealed holes pertaining to digital identity, data protection and cybersecurity that expose individuals, businesses and government agencies to online fraud. Though numerous new technologies and commercial solutions are available, their value is limited to a single organization or within a trust framework, and there is a lack of interoperability for the benefit of users and organizations alike.
Recently, large-scale data breaches have resulted in terabytes of consumers’ personally identifiable information (PII) made available for sale on the dark web. The widespread availability of personal information has brought knowledge-based verification (KBV) solutions, once reliable methods to verify identities online, closer to obsolescence. Without the ability to trust personal data in a KBV solution, organizations will need a new method of verifying digital identities that still creates a positive user experience.
Unemployment Agencies Targeted During COVID-19
With millions of Americans applying for unemployment benefits, fraudsters have pounced on state government agencies responsible for unemployment assistance. A May 14, 2020, memo by the US Secret Service reports that Washington, North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida were victimized by a Nigeria-based fraud ring. The Secret Service states, “It is assumed the fraud ring behind this possess a substantial PII database to submit the volume of applications observed thus far.”
Canada is addressing this cybersecurity problem. Its Digital Identity and Authentication Council of Canada (DIACC) continues to develop its Pan-Canadian Trust Framework (PCTF). As the DIACC notes, “the PCTF supports the establishment of an innovative, secure, and privacy respecting Canadian digital identity ecosystem.”
Conversely, the United States lacks a comprehensive digital ID strategy. The Obama Administration developed one with the National Strategy for Trusted Identities in Cyberspace (NSTIC), but it never gained national adoption from service providers.
Improving Digital Identity Act of 2020: A Government-wide Approach
That may be changing as Congressman Bill Foster (D-IL) has recently introduced the bipartisan Improving Digital Identity Act of 2020. If enacted, the bill would “establish a government-wide approach to improving digital identity.”
The bill leverages The Better Identity Coalition’s 2018 report, Better Identity in America: A Blueprint for Policymakers, which among other things, recommends that government agencies are best-positioned both at the state level via the Departments of Motor Vehicles and the federal level through the Social Security Administration (SSA) to offer new identity services to consumers.
The SSA is already progressing in this area and will soon launch its electronic Consent Based Social Security Number Verification (eCBSV) service. As noted on its website, “eCBSV will allow permitted entities to verify if an individual’s SSN, name, and date of birth combination matches Social Security records. Social Security needs the number holder’s written consent with a wet or electronic signature in order to disclose the SSN verification.”
The Improving Digital Identity Act would create an Improving Digital Identity Task Force within the executive office of the president. Its mission is to establish a government-wide effort to develop secure methods for federal, state and local government agencies to validate identity attributes and support interoperable digital identity verification in both the public and private sectors. The task force would be comprised of cabinet secretaries, heads of other federal agencies, state and local government officials, congressional committee designated members, and a position appointed by the president.
Additionally, the National Institute of Standards and Technology (NIST) would develop a standards framework for digital identity verification to guide federal, state and local governments in selecting their digital identity solutions. NIST would have one year to publish a final version of the framework.
The legislation requires the task force to publish a report with recommendations on research and development in systems that enable digital identity verification. Upon its completion and with consent of the individual, the framework will enable government agencies to securely vouch for its citizens in real-time when online.
For example, it is customary for an individual applying to open a bank account online or from their mobile device to provide a scan of a government-issued ID, typically a driver’s license, and a selfie-photo to assert their identity. Behind the scenes, the image of the driver’s license is verified to ensure that microprinting, holograms and other physical security features are consistent. Using biometrics such as facial recognition technology, the selfie photo is compared to the photo on the ID card to ensure they match.
Process Improvements to Verify Digital Identities and Identity Systems
The current process is good, but it can be made better with a government service. Financial services organizations will gain a public service allowing them, with the customer’s consent, to ping a state DMV database or the SSA’s database. They’ll then receive a clear answer whether the identity data presented is contained in their respective database. This improvement to the identity management process will provide an additional layer of security in real-time to confirm that the person is who they claim to be.
The Improving Digital Identity Act is an exciting piece of legislation. If signed into law, it will significantly improve our digital lives and benefit consumers and relying parties alike in the years to come with support for secure digital identity verification.
Disclosure: The author represents his employer, OneSpan, Inc., in The Better Identity Coalition and the Digital Identity and Authentication Council of Canada (DIACC).
This article, authored by Michael Magrath, Director, Global Regulations & Standards, first appeared September 17, 2020 on CSO Online. Reprinted with permission. © IDG Communications, Inc., 2020. All rights reserved.