E-Authentication:Simplifying Access to E-Government

Presented at the

PESC 3rd Annual Conference on Technology and Standards

May 1, 2006

2

The Goal of E-Government

Empower and enable citizens and businesses to manage their relationships with government on their terms in a secure online environment

The Role of the E-Authentication ProgramProvide standards, framework and services necessary for the Federal Government to accept all levels of secure identity verification, simplifying business, public & government access to online services in a cost-effective manner

The Context for E-Authentication

3

E-Authentication Mission

Enable millions of safe, secure, trusted online transactions between Government and the citizens and businesses that it serves

Reduce online identity management / credentialing burden for government agency application owners and system administrators

Provide citizens and businesses with a choice of credentials – such as PINs/User IDs/passwords/digital certificates – when accessing public-facing online government services

4

Key Policy Considerations

For Government-wide deployment:• No National ID• No National unique identifier• No central registry of personal information, attributes, or authorization

privileges • Different authentication assurance levels are needed for different types of

transactions• Authentication – not authorization

For E-Authentication technical approach:• No single proprietary solution• Deploy multiple COTS products – user’s choice• Products must interoperate• Controls must protect privacy of personal information

5

E-Authentication Strategy

The best way to accomplish E-Authentication’s mission while satisfying the requisite policy considerations:

• Build the E-Authentication Federation, wherein government agencies can rely on electronic identity credentials issued and managed by other organizations within and outside the federal government

6

The Decision to Adopt a Federated Approach

Identity management is one of the major enterprise IT challenges

Government’s move to the Web raised the need to ID-proof millions of customers

Industry best practices moving toward enterprise identity management solution (portal) and federated identity

Use of federated identity is growing• According to Burton Group, more than 300 businesses

deploying SAML-based federations

7

The Concept of E-Authentication

Step 3Step 2Step 1

Step 1:

At access point (agency Web site or credential service provider) user selects agency application and credential provider

Step 2:

•User is redirected to selected credential service provider

•If user already possesses credential, user authenticates

•If not, user acquires credential and then authenticates

Step 3:

•Credential service hands off authenticated user to the agency application selected

•User performs transaction

8

The Value of the E-Authentication Federation Citizens and businesses

• Convenience and ease of use in accessing government services

• Secure access with privacy protection• Safeguarding the public trust

Government• Saving agencies time and money in

developing, implementing and administering identity management

• Leveraging an existing authentication infrastructure (the Federation)

• Fewer credentials to manage

• Reducing the risk of implementing and maintaining an identity validation capability

• Accelerating the time to market for e-government services

9

The Building Blocks of the E-Authentication Federation

Business &Operating Rules

Operational Infrastructure

Agency Applications/

Credential Service Providers

Policy Technology/Architecture CompletedFY 2004

CompletedFY ‘05

Growing in FY06 and beyond

10

3. Establish technical assurance standards for e-credentials and credential providers (NIST Special Pub 800-63 Authentication Technical Guidance)

1. Establish E-Authenticationrisk and assurance levels for Governmentwide use(OMB M-04-04 Federal Policy Notice 12/16/03)

4. Establish methodology for evaluating credentials/providers on assurance criteria (Credential Assessment Framework)

2. Establish standard methodology for E-Authentication riskassessment (ERA)

5. Establish trust list of trusted credential providers for govt-wide (and private sector) use (Federation Member CSPs)

6. Establish common business rules for use of trusted 3rd-party credentials (Legal Document Suite)

Policy Infrastructure:

11

Federation Policy: Identity Assurance Levels

NIST SP800-63 Electronic

Authentication technical guidance

matches technology to each assurance level

OMB E-Authentication Guidance establishes four assurance levels

Level 4Level 3Level 2Level 1

Little or no confidence in

asserted identity (e.g. self identified

user/password)

Some confidence in asserted

identity (e.g. PIN/Password)

High confidence in asserted

identity (e.g. digital cert)

Very high confidence in the asserted identity (e.g. Smart Card)

E-RA tool assists agencies in defining authentication

requirements & mapping them to the appropriate

assurance level

Providing consistent application of E-Authentication across gov’t

12

Federation Membership

Business & Operating Rules Technology standards integrated

with common business rules

Developing business agreements that govern membership in the E-Authentication Federation

Binding the trust that drives interoperability

13

Status of Federation Membership (5/1/06)Relying Parties

SSA (Direct Deposit)

GSA (eOffer)

Dept. of Labor (MSHA)

OPM (USA Learning)

OPM (USA Jobs)

NASA (MyNASA)

Dept. of Transportation (SAFER)

Dept. of Commerce (Export.gov)

NSF (Fastlane)

Dept. of Energy (VIPERS)

Dept. of Interior/Nat’l Park Service (Research Permit & Reporting System)

HUD (FHA Connection)

14

Status of Federation Membership (5/1/06)Credential Service Providers

Fidelity Investments*

WellsSecure* (Wells Fargo PKI)

ORC

USDA eAuthentication

OPM Employee Express

* Denotes designated financial agent (DFA) of the US Department of Treasury/Financial Management Service

Add’l Targeted Verticals

Financial Institutions

State/local governments

Higher Education

15

For More Information…

Georgia K. MarshDeputy Program Executive

703-872-8614Georgiak.marsh@gsa.gov

Websiteshttp://cio.gov/eauthentication

http://cio.gov/fpkipa