Transforming Digital Government Services for Secure and Equitable Access


Unlock video

Unlock On-Demand Webinar

Video Transcript
Abby:
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I would like to welcome you to today's webinar, Transforming Digital Government Services for Secure and Equitable Access. Before we introduce today's speakers, I would like to let you know a little bit about Carahsoft. Carahsoft is the Trusted Government IT Solutions Provider and a top GSA Schedule holder, supporting an ecosystem of manufacturers, resellers, integrators, and consulting partners committed to serving the public sector.

The dedicated Cybersecurity and Defense team at Carahsoft specializes in providing federal, state, local and education customers with a variety of cybersecurity solutions to secure their cyber ecosystem. Our comprehensive cybersecurity portfolio of products and services can support your organization's needs in the below categories. Our contact information will be at the end of the presentation, so please don't hesitate to contact us for any of your needs.

At this time, I would like to introduce our speakers for today, Christine Owen, field CTO with 1Kosmos, Adam McBride, program manager with HHS, and Dr. Ken Meyers, director with Government-wide Digital Identity Policy Division, senior advisor at NIST 800-63 Technical Policy. And with that, Christine, I'm going to stop sharing and let you take over.

Christine Owen:
All right. What are we talking about today? We are going to talk about Transforming Digital Government Services for Secure and Equitable Access. I'm really excited about this, but what does this mean? What does this mean to everybody? It's a great question. I don't know. I'm trying to click through. Hold on one second. There we go. All right. Today, we have Adam McBride from HHS and Dr. Kenneth Myers, which Ken to me, from GSA. I'm really excited and thank you so much to both of you to be here today. These two gentlemen are so awesome in our field and they're working really hard to get some really, really sticky questions answered for identity.

They're working to make sure that citizens have better access to digital services within the government, and they're doing the impossible. They're working together, which is even better. It's something that we like to see within the government. For you guys to start to give a little brief introduction, I want to ask you both a question, which is similar to the poll question that everyone got today. What is it that you're hoping to get out of the webinar today? Adam, we'll start with you since your name starts with A.

Adam McBride:
A is for awesome, right? Hello, everyone. I'm with the HHS, Health and Human Services, Program Support Center. We're a shared service and we provide a lot of the external user management and internal user management for identity. I'm excited to be here. The thing I'm looking forward to get out of this webinar today are mostly more friends. I need more friends and knowledge. Anytime I can be on the same platform with Dr. Ken Myers, it's a good day.

Christine Owen:
Ken, what are you hoping to get?

Adam McBride:
I'm leaning into that.

Christine Owen:
[inaudible 00:03:26], by the way. I'll always go out drinking with you. I promise.

Kenneth Myers:
Appreciate that. It was great seeing you all in the FICAM Day, but similar to what Christine said in my intro, I'm the director for Identity Assurance and Trusted Access at GSA. I know that sounds pretty fancy, but we coordinate four main digital identity initiatives across federal government. If you've heard of FICAM, Federal Identity, Credential, and Access Management, that's a big one. We have our enterprise architecture, the FICAM architecture. Along with that, I'm a co-chair of the ICAM Subcommittee, the Federal CISO Council. All that means is I have a lot of work friends around the government that I can share ideas with.

We also maintain the digital certificate policy for the Federal PKI. Anyone who has a PIV card, Personal Identity Verification card has digital certificates on it. That's the policy there. We also do some testing. Similar to Christine, I'm also a Virginia native, and I have a passion for digital identity. I feel like I talk about all the time to the point that people get annoyed by it maybe.

I call myself self-identified identity nerd. I did, I finished the Doctor of Science in Cybersecurity from Marymount University. So, I have the honor to call myself a doctor identity nerd. One of the things I'm looking forward-

Christine Owen:
That's a really good handle that you need to take on.

Kenneth Myers:
Right. For the webinar today, just looking forward to talking more about Credential Service Providers, what part they play, and what we're doing around it to help improve it.

Christine Owen:
Yeah, and I have a really quick question for you, Ken. Do you happen to like, I have this weird ability where I keep running into people who went to my high school and also I graduated with in the industry? Do you have that as well, or is it just like Annandale is the place to be for identity?

Kenneth Myers:
Yeah. Just growing up in Annandale, going to Falls Church, I'd say it's rare. It's rare, but not possible. I would say excellent people like yourself run into all the time.

Christine Owen:
Awesome. All right. Let's start. I always like to start presentations by saying what is it that we're trying to solve. And what we're trying to solve is the silos that have been built throughout the years within the government, government-wide, and also within agencies, agency-wide, for identity authentication and also fraud services. What we're going to talk about today is how we can start consolidating these three things. How we can start streamlining how citizens interact digitally with the government and how we can create less friction, but make sure that it's strong and keep the bad actors out? This is the way that I view the world. I'll start with Ken this time.

What is it that you think that we need to solve when it comes to citizens' interactions with the federal government? Is there more to it than just these three pillars? Is it cooperation across the government, or do we need more regulation? What is it do you think that additional things that we're trying to solve here?

Kenneth Myers:
Yeah. The first would probably be just distinguishing between the unique differences. I think you've covered a fantastic job here. There's distinct differences between citizen identity, I think a more inclusive approach to call it public identity because it's not only US citizens that are trying to access a service. It could be non-citizens. It could be really anyone that has a need to access a federal government website. One would be focused more on the use cases. It could be people within or outside the United States. It could be non-US citizens, the same technology location requirements.

The one main difference that I like to explain around public identity is that it's all focused on experience, right? Yes, yes, digital identity has security components to it, but it's all about delivering that exceptional experience, like a recent executive order focused on digital experience that very lightly touched on digital identity. But I think you captured it great here. What do you think, Adam?

Adam McBride:
Well, for me, I think one of the biggest things that we need to try to solve is to let the public know that that private identity is their private identity. The problem I see now is with government entities, I mean, if folks are using these Credential Service Providers, especially if it starts to become a norm in the public sector or private sector, they're going to start using the Credential Service Providers that they're used to. One of the big things with the government right now is there really isn't that much out there within the government.

The technology and the vendors are out there, but the choice is not there within the government. I think bringing in more of a choice with Credential Service Providers providing that option for the private citizens, whether they're US citizens or international, I think that's going to be a huge... I can't even explain how big it's going to be. I'm just lost at words.

There's so many things going through my mind right now, especially with federated identity, but I think it's going to be a great thing if the government can cross that bridge and provide a lot of options for end users.

Christine Owen:
Yeah, I think you're right there, Adam. I think that the concept of choice for citizens, and I am definitely using the term citizens broadly. I think everyone is a citizen of the world, not just of the US, but I think that that is a really important piece and something that we're going to talk about a little more later today. I'm glad you brought that up. Ken, Mike Engle has a question for you, and since we're on this slide, he said the term public identity is a little confusing to him. Is it your private identity for government? Is that what you mean when you say public identity?

Kenneth Myers:
No, not the private identity for government. If you think about it from the context of a federal government agency delivering their mission, the VA could be delivering benefits to veterans. Social Security could be delivering benefits to Social Security. Public identity is just being that they're delivering it to the public. I think the comparable term in the private sector would be consumer identity management, because they're selling a product. There's consumers, but public just has a more holistic to, like citizen identity to citizen like Christine, what you were saying. Are we talking about US citizens?

Are we talking about world citizens? Are we talking about citizens of a specific country? That's just what I mean by public identity.

Christine Owen:
Yeah, I think that's a good point. And also you can talk about the different use cases that there are because there's also business-to-government interaction where a person who is a citizen somewhere, they have to prove that they're an actual human, but then they also need to prove some association with that business to be able to do the business with the government. Yeah, Adam, you've got something.

Adam McBride:
Going off of what you just said, that's a huge problem right now for the government. You have the individual users that are using certain Credential Service Providers that have their own personal identity, and now they're working with an organization that is required for IAL2 purposes to log into the organizational use case. I don't want to get too deep there. The individual's going to have to at first identify themselves and then verify that they are associated with that organization, whether what workflow that they have to actually do that.

Most of the times, it's emailing the work email address or organization getting approved by a supervisor, what have you. But they need to link that organizational, I guess, profile to their personal identity. A lot of folks are having an issue with that because they don't want to associate private with business. One of the big things I think the public needs to know is that if you're going through that process, we need to know who you are.

If you're working on behalf of an organization, that's just part of the process to make sure that no fraud is taking place. So, great point. I just wanted to caveat off of what you said, so thank you.

Christine Owen:
Yeah, no, thanks. What's really weird, because I am just as big of a nerd as Ken is when it comes to identity, I actually had a whole conversation about how to solve that yesterday. If someone's interested in deepening that conversation, feel free to reach out to me because I could talk forever about identity. I'm going to breeze through a couple slides so we can get back to the time that we're working on. Now we know we're all on the same page, Credential Service Providers is what is solving the problem that we have today. How does it solve it?

Well, it gives us a pretty good level of assurance that we're pretty sure that that person is who they say they are and they have a strong credential. And we try to reduce as much as possible the friction that that user has interacting with the federal government or with the public service that they're interacting with. How do we do that?

Well, the onboarding, there's always going to be a little bit of friction. But then, after that onboarding, a strong credential or an easy-to-use and more robust account recovery process are ways that we can try to reduce the friction and also keep security in mind. How does the CSP work? What does a citizen, what does an end user do? The first thing they do is they get identity proofed. We take a camera and we take a selfie, but we also have to proof liveness.

Why? Well, there's these really bad things out there called bad actors, and they like to use things like Deepfakes to try to trick the camera and make the algorithm think that the person in front of the camera or the image in front of the camera is a live person and that they match whatever the real identity document is that they're putting forth. So, liveness in selfie capture is really important when we're doing remote identity proofing that is unattended. So, this is really what we're talking about.

If a citizen says, "Oh, I want to sign up for Social Security today," and they go through the process, this is the process they'll do. That biometric matching is really important. It's something that we learned over 10 years ago how important it was in the proofing process. And that's how NIST 800-63-2 became NIST 800-63-3. And then, after that we have the... and actually Ken and I worked on that together. I saw him nodding.

I was like, "I remember those days." So then, we have a government ID that we've matched my beautiful face to, and what do we do? Well, we check overt security on that ID, and then we also validate and verify that the user data on that ID is actually in the sources of truth that we use. Sometimes they're public databases, sometimes they're a database like AAMVA to check the driver's license. It just depends on the use cases, the types of population that is going to go through the identity process.

There's a lot of levers that we get to pull in this, and there's a lot of information out there. The fun thing is working with customers to see what is the best solution for them for that identity-proofing journey for their clients. That's what we do. Now, the second piece on here, not just the Deepfakes problem, which is becoming a real problem, and it's something that if you follow me ever, you're probably going to start hearing me talk about a lot this year.

But the second one is also fake identity documents. There was this website with perhaps the best name ever. It's called OnlyFakes, and they created in 15 minutes fake identity documents. The problem is the reason why all these bad actors kept getting through this application was because the application never actually took the identity document and verified the data on there. That verifying of the data is also another very essential step to make sure that we are pretty sure that you are who you say you are when you come and interact with the government.

After that, we have an identity. What does an identity need to be able to get into applications? They need a credential, so we assign them a credential. The credential is dependent on what the application owner needs and wants. And that's something that we're actually going to talk about a little bit later today. Now this is the nerdiest slide you are going to get to today, and it is one of my favorites because we are really going to nerd out. It is the Identity Assurance Levels and NIST 800-63-3.

Now for those of you who are following at home, NIST is working on a Rev. 4. It is still in draft form. A second draft will be coming out soon. The big difference between Rev. 3 and Rev.4 is the concept of IAL1 and IAL0. IAL0 will become no identity evidence collected. And then, IAL1 will have a small amount of identity evidence collected, but everything else is basically the same. I keep this in here because for those of you who need something like this, I want you to be able to go to this webinar and say, "Okay, here it is in a nutshell."

But my question, and I'm going to start with Dr. Ken Myers because this is truly the nerdiest question I have is, what are you most looking forward to in Rev. 4 for 63-A?

Kenneth Myers:
Yeah, I would say for GSA OGP, our equities lie in the digital identity risk assessment. We have a digital identity risk assessment playbook. I'm working on a slightly updated version until Rev. 4 comes out. I think one of the major differences in digital identity risk management between dash three and dash four is if it's still consistent, like the distinct risk of a public user versus organizational users. And I think it's a separate risk assessment that you would look at the general user, like the external or public user coming in, what's their risk tolerance or risk acceptance if their account is compromised versus the same type of assessment done from an employee perspective?

Christine Owen:
I like that. I think that the risk assessment piece is going to change slightly. It's something that I remember we've talked about in some open forums with NIST, but we will see what ends up. I'm actually really excited to see what happens with the next version of Rev. 4. Adam, what are you most looking forward to?

Adam McBride:
The biggest thing I'm looking forward to is the new IAL structure. Right now, there's a lot of applications like IAL1, just the MFA. But they need a little bit stronger verification process. So, I think the identity verification under IAL1 and then the actual IAL2 being a full-blown identity proofing is going to be a perfect fit. I think it's something that's needed. I think there is a lot of overkill when it comes to the IAL2 process. Right now it's either you're IAL2 or you're not. There's no distinction. And so, a lot of folks think that they have an IAL1.5, but there is no IAL1.5. It's IAL1 or IAL2. It's one or the other.

Unfortunately, these regulations out there, we got to abide by, and the 0.5 stuff is it's not in play. So, I'm really excited about that alone with the new Rev.

Christine Owen:
I want to add two points to this. First off, I think ever since 63 has come out, people have always had a tendency to put 0.5 because I remember with LOAs, we used to have LOA 3.5, between three and four, and it was dependent on how the identity proofing occurred usually or the strength of the credential because dash two combined the identity and the authenticator assurance level. The second thing I think is really important to think about is that I totally agree with you, Adam.

There was a shirt that I wore on Monday at GSA ICAM Day, which was things that aren't easy. And one of them was IAL2 because IAL2 is not always super easy to get to. There are some real-world concerns on how to get there. And one of the reasons is because, my theory is, and I would love to hear from NIST on this, but my theory is that IAL2 is really targeted towards US people.

So, people who live in the US and US citizens, but they're not great for, for example, foreign-born citizens always, unless they're absolutely in the US, or foreign affiliates who are outside the US. In thinking through the process of how do you validate these things, especially when it comes to the privacy of data sharing and how to get into some of the data information that's outside of the US, sometimes as a US entity, you can't get into it just because of privacy concerns.

So, it's interesting because I think that there are going to be use cases for IAL2 where you have done a pretty good effort of proofing a person, but you can't verify all of the information that you're giving them because you can't get into those databases for whatever reason. And in those cases, they still would have a pretty strong identity attached to them, and they still need to do business with the government. I think that's a really good way to be able to differentiate.

And if you pass that attribute as that person is authenticating into the application, then you as an application owner can decide, "Well, IAL1, I'll let them have this type of information, but IAL2, they can add this type of information that they get a hold of." I really like that. Yeah, go on, Adam. You brought up something I didn't even think about. I love it.

Adam McBride:
Sorry. One of the things about IAL2 that is a myth, at least for me anyway, is that IAL2 is IAL2 depending on some of the attributes. For example, let's say an individual goes to a trusted referee, and through that trusted referee, they're able to get their IAL2 status. But in that IAL2 proofing, there's no Social Security number or a tax identification number. They go to try to get into the IRS and they need IAL2. That particular attribute of the Social Security or tax identification number isn't going through. So, they're going to get rejected.

There's some things that folks got to understand that just because you're at IAL2, it's also based on the application integration and the needs for that particular application. I did want to put that out there. That's just one of those things that really irks me. Just because you're IAL2 doesn't really mean you're IAL2. For the majority of the items, you probably would be, but it's very dependent on application integration and the attribute that's needed to be the key factor.

Christine Owen:
Actually, you're answering the question I was going to ask you guys a little bit.

Adam McBride:
Sorry.

Christine Owen:
No, but I love it. I love it. But I do think no, because I'm like, "Does this match?" It does almost. But I think one of the other pieces to this, and I totally agree with you, Adam, is the concept. This is the way I think of it. You come in at IAL2, let's say. You got verified at IAL2. But you're going to another agency and just like you said, if you go to tax, well, you're going to have to have a Social Security number and a tax ID number to be able to interact with the IRS. It is a must-do because that's how they identify you, and that's how they figure out what it is that you owe them or they owe you depending on the year.

What we can do is we can create that baseline. And then, if IRS comes back to the CSP and says, "Hey, I actually need their Social Security number," then we can do a step-up validation, where we go back to the user, say, "Hey, can we validate your Social Security number and then pass this over to IRS?" Those are things that it's pretty cool. It's something that is available in technology today. I think you're completely right. This gets to another question, but it reduces the onboarding friction, which is what's really important.

You don't want to ask for every single thing that that citizen knows to be able to get them into whatever system it is. It should be whatever is needed at the time. Instead of my question, and by the way, I call this my triangle of trust. The whole concept of IAL2 is there's a data triangulation that's occurring in the backend to basically make a risk-based assessment on whether or not that person does hit that IAL2 level.

We can't prove enough of the elements that we need of their identity to say they are likely who they say they are. That either happens through the algorithms or it would happen with a trusted referee, which is a human who is reviewing all of the data and is well-versed in the types of data that is being reviewed and then can make a risk-based decision.

But Pim Gury is asking, he says... or they say, sorry, "I have heard experts of current IAL2 requirements describe it as incomprehensible and I feel the same. Do we expect the next version to be easier to understand?" And I'll start with Ken on that one.

Kenneth Myers:
Yeah. No, I agree. I agree with that. Sometimes you just have to think through what are the NIST authors thinking in this requirement. Well, say it's ambiguously specific for a reason. And I wanted to touch on one of the things that you were talking about earlier, Christine. 800-60-3 is about digital identity risk management. It's about identifying risk and mitigating it. And so, if you read through all four volumes, you can definitely see how they go in-depth on what is the conventional process for doing something, what's the conventional proofing process, what are the recognized authenticators, what's to recognize, what should be in a federation agreement?

How an assertion protocol should be set up? I'll say one area, it's not very specific, and probably for a reason is meeting that same level but not following the conventional process. Like in 63-3, it's called Trusted Referee, still called Trusted Referee in 63-4. In dash four, they've added in an applicant reference. And rough numbers, I've seen about 20%. If we look at just within the United States, 20% of the population can't meet the conventional proofing process.

And there's about 10 use cases around it, whether that's don't have the technology, don't have the location, don't have the proper identification either at all or just at that moment. Like if you think of disaster recovery operations maybe that FEMA is doing, maybe someone's house burned down, all their documents went up in it. And so, what is the risk-based decision? What's the risk-based deviation to helping someone in that situation?

I don't think it's clearly spelled out in 63 also, is about what are those fraud and risk indicators that make up for when someone can't complete that conventional process? I think you've done a great job capturing it in this pyramid, Christine.

Christine Owen:
Yeah, thanks. I agree with you. This is going to get a couple slides. That's a whole idea of we have to create a risk-based decision, and we have to figure out what the framework is for that risk-based decision. For example, when we talk with customers, we ask them, what are you trying to achieve? Here are all the different ways that you can do these workflows. How do you want to do them? And as some people from 1Kosmos call, it's pulling different levers. Like you said, Ken, 80% of the population can come in the conventional route. They have a driver's license. It's a real ID. They can do the biometric check. They have the selfie they can get through.

It's perfect. It's perfect. But then, that 20%, how do we deal with that? One of the ways that we deal with that is we do go to non-conventional data sources, which is really important to be able to capture more information about that user and make sure that we can verify their information and other data sources. And then, other methods would be the agent, and actually it might go to they have to be there live and they have to talk to someone. For example, when you're doing Global Entry, you are required to go and get identity-proofed at a level three. Why? Well, it's because mostly you're going there and they're double-checking and they're checking anti-fraud.

They're asking random questions like, "What'd you have for breakfast today?" And they're asking it because that's not something that's actually in your identity background. You wouldn't know what Christine Owen had for breakfast today. I'm not going to tell you either because I don't want you to be able to answer that question, but you wouldn't know what I had for breakfast today. But if you hesitated and went, "Ugh," and looked like you were trying to game it out, then you're probably trying to defraud the government in some way. That's why there are all these different methods to get to identity proofing.

All right. Someone else has asked a really good question. What is the difference between an agent helping with the IAL2 process and an alternate process where you may take a lease, high school transcript, et cetera? Oh, this is a good one. We might need a NIST experts for this one. They have different terms. What are these alternatives that might be accepted for applications in HHS and Treasury, for example? Who wants to take a first stab on that one? Or do you want me to?

Kenneth Myers:
I was going to say it says HHS, so it could be Adam.

Adam McBride:
Here's my take on this. I see where they're going with this question. I think it's based off of what I just rambled through a few minutes ago. Going back to applications, it depends on what application is in the need for those particular attributes and the service for a Credential Service Provider. For instance, HHS tries not to use any Social Security numbers in any of the attributes that are getting passed through to us. However, an agency is required if it's needed to do the risk-based decision memo and then have the authorizing official sign off on it saying yes, they can do that.

At that time and only at that time will my process for XMS allow that attribute to pass through to the agency. For me to answer that, it's really agency and application-specific, right? I can't say it's not an alternate that would be used for HHS or Treasury across the board. It's very application-specific. I don't want to give the agencies that are using these type of things right now, but we do have that in play right now, but that's my take on it. Ken, Christine, I don't know if-

Christine Owen:
Yeah. Actually, I moved back a slide. I don't know if you guys could see this because IAL2 requires generally speaking at least one strong piece of evidence, and that's usually a driver's license or some government ID. And if that strong piece of evidence is not, for example, a real ID, then you can either have it layered in, you can add another strong piece of evidence, or you can use two pieces of fair evidence. A lease and a high school transcripts would be pieces of fair evidence. Now validating a lease, basically would be validating what the address in that lease document says would be slightly easier.

Actually, it'd be about the same as validating a high school transcript, but the problem with that is when you take a risk-based approach, if you go into the dark web, you can know where I live and if I have a lease or not probably. Actually, you could probably get that on the open web too. And you also definitely know where I went to high school because I talk about it all the time.

You can probably pretty easily find out when I graduated and then make up, how well I did in school. Hopefully you say I did well, I don't know. I did do pretty well, so hopefully you say it. Yeah, Adam.

Adam McBride:
I did forget to mention one thing. In that question where they're saying agent helping, the big thing or I guess a big takeaway for that is that the agent that's helping has to be at the level that the user is trying to achieve. They do have to be at IAL2 as well because they do have to prove themselves out, the helping agent, I guess, from what the question is.

Christine Owen:
Exactly. There's basically three levels that's going to be discussed when it comes to 63-4. I didn't know this was going to turn into a webinar, and yeah, here we are. The lowest level of help I would say would be the applicant reference. And so, that's someone who maybe you lived in a house with five other people and you weren't on the lease and you weren't on any of the utilities. And so, one of the people there vouches that you actually lived there. That's what that applicant reference is. The next level up would be a help desk agent.

And so, that's someone who comes online and helps guide you through the process to get you to IAL2. That person may or may not be able to take a risk-based approach and help decide whether or not you should get into, you do meet the IAL2 levels. On that end, it's still a little squishy. That's something that we need to have a little more guidance from NIST on or it's something that the application owners need to decide what they do with that help desk agent piece.

And then, the last one is trusted referee and quite frankly, trusted referee comes in after the fact, reviews all of it, doesn't always interact with the applicant and makes that risk-based determination that the algorithms didn't work out for whatever reason. Ken, do you have anything else as we move on to our next slide?

Kenneth Myers:
Yeah. I asked a similar question when NIST had a 800-63 Day, like if I help my in-laws because maybe they're not as handy with a smartphone, am I considered an agent? And that was no. Back to the previous question about if they're going to make 800-63 more plain language, and I'll just say from my perspective of reading it, it's almost an academic exercise in a way. I want to say from my perspective, they leave it a little ambiguous, a little open to allow for innovation. If there are more prescriptive, more plain language, you might infer informational requirements like the implementation resources as more normative requirements.

Meaning if you look at the implementation resources and it gives examples of a real ID is considered superior, where if you look at the normative requirements within 800-63A, it just an ambiguous criteria. It forces you to think, is this piece of identification or maybe even is this attribute? Could it be at a strength? Is there a way I can get it to fit into a strength thinking outside the box?

Christine Owen:
Yeah. You have a fan right now who 100% agrees with you, Mike Engle, and he says the extra NIST guidance that came out in 2019 that basically put in the biometric comparison need for remote unsupervised proofing was very helpful because it had a ton of examples and directly address the real ID, which is in that document called Strong Plus, which going back to Adam's point, we can't have 0.5s. It really should just be one category or the other. Let's move on to privacy, which is something that I got to see the poll question, the answers to the poll questions, and privacy was really the number one concern that as citizens when you are getting identity-proofed that you care about most deeply.

I totally agree. If you've been following me for a while, hopefully you haven't, but if you have, you know that I tend to speak with privacy experts a lot if I'm on stage somewhere because I think that privacy needs to really be added into cybersecurity by design. Privacy by Design is something that we live at. We live Privacy by Design with 1Kosmos.

But my question is from something that Adam brought up when we were getting ready for the webinar, and he brought up a really good point. And it's a fun point to talk about, which is when it comes to PII, citizens are more readily, they give their information, their faces, like everything to big data and big tech over the government.

First off, why do you think that is? And I'm going to start with Adam, because this really was your question. And then, how do you think that we as a community can help change that?

Adam McBride:
Man, I know I was rambling on that day. I don't even remember everything I said. It happens a lot. I think everybody in the tent knows me and they know me very well. But if you think about it, I mean, it is true. I'm not the only one that says it, but everybody says it that they don't have a problem releasing everything to TikTok. But when it comes to the government, they don't want to be tracked. I think there needs to be a better job marketing, especially letting them know, like big government, we already have your data. We're just protecting it to make sure that you're the only one getting it.

But for me, a lot of the Credential Service Providers, the only time an individual is identity-proofed is for some government service or something of that nature. Myself, as a private citizen, I can't go identity-proof myself. I can't pay for an identity-proofing. Why not? To me, that would give me more... personally, I have more control if I did it compared to letting the government pay for it. That's just me. I think it's a mindset with the public.

I think if we can change that mindset a little bit and let them know that it's their PII, their data, and they can use it how they see fit, I think it'd be an easier implementation across the government. And that's another reason why the government needs options. Because if you let the citizen use whichever one they want, why would they need to change from, like 1Kosmos to an ID.me just because that agency wants it? Why can't I just use the one I have?

So, having that option throughout the government is why it's needed. That's all I got to say and I'm sticking to it.

Christine Owen:
No, it's true. Go on, Ken.

Kenneth Myers:
I was going to say, Christine, what's your legal opinion on this one?

Christine Owen:
I think privacy is really important. Obviously, the fact that I work for a company that our tagline is Privacy by Design shows that I really do believe that there is privacy here, but I also believe privacy for citizens is really important. I find it so amazing that my friends who are not in the cybersecurity world, and also that they and they let their children give away so much information like biometrics, which is face and other attributes to tech companies. And there's a lot of them out there, and some of them are a little more nefarious than others, not because they sell your data, but because of where that data actually is going.

For example, I remember years ago, there was... I feel like it was... I don't know. Years ago, one of the big tech companies had a thing where there was an add-on that could show you what you would look like when you were older. It was a little filter on your face. It used a little bit of an AI. What was that doing? Well, it was training its product, right? It was training the AI on the product. It was doing facial recognition on the back end, and it was collecting your biometrics. People just let that happen, and it was free. And I guess it was fun. I don't know.

I don't want to know what I look like when I'm older, but I think that that's something that people are not well-educated on. When it comes to the government though, for whatever reason, they don't trust the government with their data, which is ironic considering the majority of their data actually comes from the government itself. Where is your Social Security number coming from? Where are your driver's license coming from? Where's your passport coming from?

Where is your birth certificate coming from? It's all coming from the government. The government actually gives the identity documents in many cases to the citizen. And then, we use other information such as Telco, so your cell phone numbers such as credit history has certain pieces of identification such as where you've lived, what banks you've used, et cetera, et cetera. We add all of that together to try to get a holistic view, so we can say, "Oh, more likely than not, you are Christine."

The things that people do for a free fill in the blank on the internet, it shocks me. I actually don't even download a lot of applications. My friends get very mad at me because I don't download very many apps. They go, "Why don't you use this app?" I'm like, "Oh, what are they doing with my data? I don't want it." That's how I feel about it. All right. Now we're on to an exciting thing, and I am going to start with Ken on the next topic, which is Equity in Identity. I was going to ask a question, but I'm actually going to change this question slightly. I'm going to ask a different question that we were going to ask earlier. I'll present this a little bit.

What is equity in identity? Well, the first thing is the idea, like going back to biometrics, the idea of doing a one-to-one biometric matching technique when we are proofing a person, that's really important, a one-to-many. It means you take my picture and you match it to a massive database of pictures. That doesn't always work because the algorithms can't always differentiate. But if it's a one-to-one, the algorithm does much better. And the matching actually has a much higher rate of success.

The interesting thing, especially when we do one-to-many, this is something that I learned from one of my friends years ago and I've never forgotten this piece of information, is that the hardest people to properly match with a biometric, that population is actually older White men with beards. That's the hardest population. I guess because they all look like Santa Claus. So, if you put a picture of Santa Claus and everybody else with a beard, they all look like they're going to give us presents in December.

But I find that really interesting because that's a piece of equity that I think a lot of people don't think about when they're thinking about equity because the EO talks about underserved communities and making sure that those populations are able to get government services both in-person and digitally, but there are all different types of populations that can or cannot make it through certain things for whatever reason. So, that's why I think when it comes to equity, I think of everybody. I think we have to have that big tent so that everyone can get in.

How do we do that besides one-to-one matching? Another one is using non-traditional data sources to be able to see whether or not that person can get through identity vetting. Now, the interesting thing that's something that we've been talking about this whole time because we're talking about risk-based assessment of a person's identity, we also need to offer a ton of different ways to get a person through the identity vetting process from supervised remote to unsupervised remote, all the way to in-person if that person needs it for whatever reason.

And then, on top of that, there needs to be clear, transparent information on how and when the person's PII is used and also why it's being collected so that they can understand that they can actually trust the government for whatever reason, because they're trying to get their own data usually. And then, having a myriad of authenticator options, which we'll talk about in a second.

But my question to Ken and Adam, and I'll start with you, Ken, is how do you strike the balance between getting enough information so that you can say, "Ah, you more likely than are not Christine Owen," so that we can remove the bad actors from the front door of digital services, but also not taking so much information that the citizen loses trust in the government and doesn't want to hand over that information to get identity vetted?

Kenneth Myers:
Yeah, easy challenge, right?

Christine Owen:
Super easy. That's why you're here.

Kenneth Myers:
Super easy, right.

Christine Owen:
You've already solved it.

Kenneth Myers:
Yeah. Equity just mean everyone has an equal and fair chance at accessing something. I think each one of your bullets here hit the mark. Some people can do a remote identity proofing using a conventional flow. Maybe you need to add in a supervised remote for those that maybe can't take a picture of their identity. And then, having an in-person too. In-person is probably usually the hardest one because you have to meet the people where they're at, right? I've heard lots of stories on the workforce side. "I had to drive five hours to a proofing center to get my PIV card."

And obviously from a public or citizen perspective, forcing someone to drive five hours just to access their Social Security account doesn't provide a great experience. Equity from that perspective is giving lots of options. You mentioned data collection, and honestly, I don't really have anything to say around there because within NIST 800-63, it outlines the different types. I would say the innovation comes in is how you can corroborate that data together. How uniquely can you tie my information to me as a physical person? And obviously the conventional flow, it's like what you said.

You have my ID. You take a picture of it. You validate that the ID was issued by a source and the information matches, but then you also take a picture and you match it to my face. And so, you can link my physical person to my digital person with a reasonable certainty, reasonable certainty. From the fraud side, the FinCEN, the Department of Treasury's Financial Crimes Enforcement, released that analysis of identity-related fraud, which I think is great. Having numbers out there to tie something to is amazing.

What they say is something like 260 billion identity-related, so just activity with 81 billion attributed to false records and identity theft. So, false records, like what you said. Fake Social Security numbers, inconsistent identity information, fictitious documents or signatures, that type of thing. And then, identity theft would just be, I take your information and then no one knows I'm a dog on the internet. That's what Jeremy Grant always says. And so, no one knows that I'm not Christine Owen on the internet.

It's a continuous struggle in meeting both, delivering that experience, but also making sure it's safe and equitable.

Christine Owen:
Yeah, I agree. Adam, I'm going to give you a different question because we're starting to run out of time. Actually, I think this one is something that I know that you've had to deal with recently. The road to secure passwordless is a long and winding road. I got to tell you, we just created this slide this week. It's really one of my favorite slides that we have right now, and it talks about all the different authentication methods that there are. Going back to the whole idea of equity, we have to allow for different form factors. Some people need to have that password plus OTP to be able to get in because for whatever reason, they can't obtain a passkey or they don't have cameras or a good camera, so they can't use a biometric to authenticate in.

How do we balance the citizen's usage of weaker credentials like that password and OTP with the cybersecurity needs of the application owner who really would probably prefer the stronger credential, but they have to be able to allow for all people to get an access to the data?

Adam McBride:
That's my question?

Christine Owen:
Yes.

Adam McBride:
Holy cow.

Christine Owen:
I know it's a hard one, isn't it?

Adam McBride:
Maybe everyone here knows that with HHS, I have the external user management system, which is a federated identity broker, and we bring in multiple Credential Service Providers and try to provide the most secure means for external users to come into HHS applications. With that said, along with Credential Service Providers, I believe they are all working on this. Some of them already have it, the FIDO capability, phishing-resistant items that are out there.

We all are, we meaning HHS XMS team, we're working to bring in a mobile driver's license and hopefully allow that to be used as... it won't be quite IAL2, but at least IAL1. I think that's still to be determined, but along with the user's passkey on their phone for the authentication piece, we're trying to make it a little more user-friendly for the citizens to be able to access federal government applications securely.

I'm not going to say it bypasses Credential Service Providers, but that's just another means to allowing technology to be able to help facilitate this security gap that we have. I wouldn't really say a gap, but just the security need we have for allowing individuals to have permitted access into applications.

Christine Owen:
I don't think it bypasses CSPs either. I think what it does is it enhances CSPs because if we were using a digital, an mDL, a mobile driver's license, to be able to get to IAL2, in some ways it is pretty secure because on the back end is PKI and there's a decent authentication or verification method that we would be able to bake into the system. I think that's great. And quite frankly, dash four, Rev. 4 is going to have the whole concept of mobile driver's license to be used for identity vetting. So, even better.

All right, so I wanted to give both of you guys a little bit of time, maybe like 60 seconds on what you're working on. What are you doing? What are you or what is the government doing to take actions to be able to adopt CSPs or make it a little less frictional for citizens with digital services? Ken, I'll start with you.

Kenneth Myers:
Yeah, it's not something I'm working on directly, but the Federal Acquisition Service, which is a different part of GSA, they released a request for information to create a Credential Service Provider. SIN. Schedule Item Number, Subject Item Number... Special Item Number. There you go. Acronyms, acronyms. But that's definitely promising. I would say within OGP, we previously had a program called Trust Framework Solutions, which was tied to the National Strategy for Identities in Cyberspace. That's right, exactly.

And so, looking at, there's a lot of people. Monday at FICAM Day, they were asking, we should bring back FICAM. But just like history, it's good to understand your history but not relive it. So, understand what led to the sunset, but then at the same time, looking at what agencies need and the gaps that exist and how they could be filled.

Christine Owen:
Yeah. Adam, I know you're working with Ken on the SIN at GSA, right? What else are you working on?

Adam McBride:
Yeah. The SIN is going to be huge. We're hoping June timeframe that we can get it activated, because what that's going to do is going to create a level playing field for the Credential Service Providers and allow that capability to be given to federal, state, local governments on a more federal enterprise cost level, which will make it affordable. That's the biggest thing right now for federal agencies, is that when systems like what I have with the HHS XMS system, bringing in a Credential Service Provider is the cost. That is a huge driver.

If there's any way that we can help facilitate the drive to bring the cost down, I think it'll be a much easier implementation because right now we're pricing out agencies for being able to do the right thing, and it's causing a lot of problems. And we're having to jump through hoops to fix these problems. Cost is a big barrier for a lot of the government agencies. We don't budget for these things until it happens, unfortunately.

The other thing is federation. Myself and a lot of the other federal government, I guess, ICAM nerds in this space, we're all working together to create standards that the entire government can use, and we're looking to create a federated space. The XMS platform I have is federated right now for HHS. We're looking to expand that to all the government. We're working hard, so hopefully we can get there. I think it'd be a fantastic thing if we can achieve it.

Christine Owen:
I think it's also really good because it allows the citizens choice, more choice in the matter of who they want to trust for their CSP. I think I'm about to get the hook, so Abby, please give me one more second. The one thing that I'm really excited that is coming to fruition, and I see it coming. It's not today, it's not tomorrow. I swear I'm not. It's coming in four to five years, is the idea of digital wallets and having your identity within a digital wallet that you can then share to all the different federal agencies, other public sector agencies, but also to your bank or to your store or wherever else you would need to be able to prove your identity or your birthday or whatever.

So, we're trying as a company at 1Kosmos to be able to help citizens and end users have less friction when it comes to interactions digitally and also in person. So, thank you so much. Abby, I'll give it back to you.

Abby:
Yeah, absolutely. Thank you, guys, so much. I just want to thank everyone here for their participation and for joining us today. We hope that you found this webcast informative and helpful for you and your organization.

Christine Owen
Field CTO
1Kosmos
Dr. Kenneth Myers
Director & Senior Advisor
GSA
Adam McBride
Adam McBride
Program Manager
HHS

Federal, state and local government agencies are struggling to deliver citizens and residents contactless access to digital services and to do so while balancing equitable access, convenience, privacy and security. Their counterparts in higher education deal with similar challenges serving students, alumni, donors, faculty and staff. At the same time, they need to accommodate the technologically disadvantaged and recognize thin-file applicants who have little or no financial history, let alone state-issued credentials.

Verified IAL2 onboarding is essential for good customer satisfaction, but rampant identity fraud, account takeover attacks and privacy mandates are all key challenges that impede digital transformation. Register for this webinar to hear our featured speaker discuss how the role of a Credential Service Provider (CSP) delivers the access and convenience users demand while equipping digital channels for today’s cyber security and privacy challenges.

By watching, you will learn:

  • Ways to automatically block stolen identities at enrollment.
  • How biometrics with liveness detection verify identity to IAL2 and AAL2.
  • The importance of a privacy-by-design architecture with user-managed PII.
  • How reusable verified credentials accelerate digital transformation.
  • The role of a CSP to automate identity assurance and authentication.
  • How the inclusion of anti-phishing authentication ensures the verified user is present.
×