E-Authentication:Simplifying Access to E-Government
Presented at the
PESC 3rd Annual Conference on Technology and Standards
May 1, 2006
2
The Goal of E-Government
Empower and enable citizens and businesses to manage their relationships with government on their terms in a secure online environment
The Role of the E-Authentication ProgramProvide standards, framework and services necessary for the Federal Government to accept all levels of secure identity verification, simplifying business, public & government access to online services in a cost-effective manner
The Context for E-Authentication
3
E-Authentication Mission
Enable millions of safe, secure, trusted online transactions between Government and the citizens and businesses that it serves
Reduce online identity management / credentialing burden for government agency application owners and system administrators
Provide citizens and businesses with a choice of credentials – such as PINs/User IDs/passwords/digital certificates – when accessing public-facing online government services
4
Key Policy Considerations
For Government-wide deployment:• No National ID• No National unique identifier• No central registry of personal information, attributes, or authorization
privileges • Different authentication assurance levels are needed for different types of
transactions• Authentication – not authorization
For E-Authentication technical approach:• No single proprietary solution• Deploy multiple COTS products – user’s choice• Products must interoperate• Controls must protect privacy of personal information
5
E-Authentication Strategy
The best way to accomplish E-Authentication’s mission while satisfying the requisite policy considerations:
• Build the E-Authentication Federation, wherein government agencies can rely on electronic identity credentials issued and managed by other organizations within and outside the federal government
6
The Decision to Adopt a Federated Approach
Identity management is one of the major enterprise IT challenges
Government’s move to the Web raised the need to ID-proof millions of customers
Industry best practices moving toward enterprise identity management solution (portal) and federated identity
Use of federated identity is growing• According to Burton Group, more than 300 businesses
deploying SAML-based federations
7
The Concept of E-Authentication
Step 3Step 2Step 1
Step 1:
At access point (agency Web site or credential service provider) user selects agency application and credential provider
Step 2:
•User is redirected to selected credential service provider
•If user already possesses credential, user authenticates
•If not, user acquires credential and then authenticates
Step 3:
•Credential service hands off authenticated user to the agency application selected
•User performs transaction
8
The Value of the E-Authentication Federation Citizens and businesses
• Convenience and ease of use in accessing government services
• Secure access with privacy protection• Safeguarding the public trust
Government• Saving agencies time and money in
developing, implementing and administering identity management
• Leveraging an existing authentication infrastructure (the Federation)
• Fewer credentials to manage
• Reducing the risk of implementing and maintaining an identity validation capability
• Accelerating the time to market for e-government services
9
The Building Blocks of the E-Authentication Federation
Business &Operating Rules
Operational Infrastructure
Agency Applications/
Credential Service Providers
Policy Technology/Architecture CompletedFY 2004
CompletedFY ‘05
Growing in FY06 and beyond
10
3. Establish technical assurance standards for e-credentials and credential providers (NIST Special Pub 800-63 Authentication Technical Guidance)
1. Establish E-Authenticationrisk and assurance levels for Governmentwide use(OMB M-04-04 Federal Policy Notice 12/16/03)
4. Establish methodology for evaluating credentials/providers on assurance criteria (Credential Assessment Framework)
2. Establish standard methodology for E-Authentication riskassessment (ERA)
5. Establish trust list of trusted credential providers for govt-wide (and private sector) use (Federation Member CSPs)
6. Establish common business rules for use of trusted 3rd-party credentials (Legal Document Suite)
Policy Infrastructure:
11
Federation Policy: Identity Assurance Levels
NIST SP800-63 Electronic
Authentication technical guidance
matches technology to each assurance level
OMB E-Authentication Guidance establishes four assurance levels
Level 4Level 3Level 2Level 1
Little or no confidence in
asserted identity (e.g. self identified
user/password)
Some confidence in asserted
identity (e.g. PIN/Password)
High confidence in asserted
identity (e.g. digital cert)
Very high confidence in the asserted identity (e.g. Smart Card)
E-RA tool assists agencies in defining authentication
requirements & mapping them to the appropriate
assurance level
Providing consistent application of E-Authentication across gov’t
12
Federation Membership
Business & Operating Rules Technology standards integrated
with common business rules
Developing business agreements that govern membership in the E-Authentication Federation
Binding the trust that drives interoperability
13
Status of Federation Membership (5/1/06)Relying Parties
SSA (Direct Deposit)
GSA (eOffer)
Dept. of Labor (MSHA)
OPM (USA Learning)
OPM (USA Jobs)
NASA (MyNASA)
Dept. of Transportation (SAFER)
Dept. of Commerce (Export.gov)
NSF (Fastlane)
Dept. of Energy (VIPERS)
Dept. of Interior/Nat’l Park Service (Research Permit & Reporting System)
HUD (FHA Connection)
14
Status of Federation Membership (5/1/06)Credential Service Providers
Fidelity Investments*
WellsSecure* (Wells Fargo PKI)
ORC
USDA eAuthentication
OPM Employee Express
* Denotes designated financial agent (DFA) of the US Department of Treasury/Financial Management Service
Add’l Targeted Verticals
Financial Institutions
State/local governments
Higher Education
15
For More Information…
Georgia K. MarshDeputy Program Executive
Websiteshttp://cio.gov/eauthentication
http://cio.gov/fpkipa