Access to Government with More Security, Less Friction
By Wes Turbeville, Vice President of Federal, ID.me
Americans value choice. When it comes to living and working on the internet, individuals should be able to choose whom they trust from among solutions that meet federal standards.
That’s a key takeaway from a new white paper co-authored by the General Services Administration’s (GSA) lead for identity services and published by the American Council for Technology – Industry Advisory Council (ACT-IAC) and the Better Identity Coalition (BIC).
A result of government and industry collaboration, this paper identifies a key principle for online identity verification: the public is best served by a variety of options aligned with government security standards, providing different paths for verification depending upon consumer needs and comfort. ID.me looks forward to the Administration’s upcoming Executive Order on Preventing Identity Theft, which should advance many of this paper’s policy takeaways, strengthen the security of government programs, and increase access for American citizens.
We applaud the paper’s call for better understanding of the technology used in online identity verification. However, we believe the paper’s recommendations fall short of what is needed.
Beyond deepening understanding of biometrics, any studies on equity and performance should assess all technologies used in online identity verification. Legacy approaches to digital identity – powered by credit bureaus and data brokers – unfairly tie access to affluence.
Forty-five million “credit invisible” consumers in the U.S. struggle to verify using these legacy methods. The status quo already disproportionately impacts less affluent people, minorities, individuals with recent name changes (e.g. marriage), immigrants, and expatriates. To examine biometrics in context, we must compare the relative impact on equitable access associated with each step of the current identity verification process that does not involve biometrics.
ID.me believes the best path to a secure digital identity that promotes equitable access is by offering multiple verification options and combining best-in-breed algorithms with human-powered relief valves. We have designed our products with this philosophy in-mind.
Key Findings of the Paper
Some important findings of the Citizen Identity, Credential, and Access Management (ICAM) paper include:
- Knowledge-Based Verification/Authentication is not effective. The paper notes, “Public and private sector entities are moving away from KBV and knowledge-based authentication (KBA) in favor of other tools.” NIST itself has explicitly stated that “KBV cannot be used to satisfy the verification requirements for IAL2 or IAL3 in identity proofing.”
- Multifactor Authentication (MFA) should be “table stakes.” The paper says it should be “enabled for all accounts and built into the enrollment process.”
Federated identity is the wave of the future. Identity “federation” allows an individual to enroll once and then use the credential across multiple entities. The paper holds up SSA, IRS and HHS as examples of agencies that have implemented identity federation. - Transparency is key for individual users. Individuals need to “know what data is being collected, how it’s being used, and how long it’s being stored.” That’s something that ID.me is committed to.
Endorsing Choice
Woven throughout the paper is an endorsement of choice. The authors state that individuals “should have a choice when it comes to shared login services or Credential Service Providers (CSPs).” The government should enable an “ecosystem of CSPs” so “individuals have options” when accessing government services.
Similar to the framework by which Americans can choose their preferred payment provider when making purchases online, an open, competitive marketplace that provides citizen choice at login is the best way to drive continuous innovation in areas of access and security.
Executive Order Implications
The EO presents a great opportunity to put energy behind some of the policy priorities the the authors advance in the paper. Notably, those around:
- Making Multi Factor Authentication (MFA) the default
- Enforcing adoption of NIST standards at the agency level
- Holding a high bar for federal standards, rather than relaxing controls that have been shown to work
- Promoting choice at each citizen-facing platform among solutions that meet federal standards
- Expanding data validation with authoritative services, such as Social Security’s electronic Consent Based Social Security Number Verification (eCBSV)
- Encouraging transparency to consumers about how their data is collected, how verification of an individual is completed, and how their data is used
- Providing guidance to individuals on what they can do in the event their identity is stolen
More Security; Less Friction
The paper takes the issues surrounding identity verification and ultimately boils them down to two goals: More security, less friction.
Significant time is spent debating the tradeoffs between these two goals. ID.me believes they are an “and” rather than an “or.” The Washington Post1 and recent IRS testimony before the Senate Committee on Finance2 noted how ID.me has been able to provide much higher pass rates and greater access, including for “low-income earners and minorities.” We were able to do this while also increasing the level of assurance and security associated with verification.
Conclusion
ID.me agrees with the authors of the paper that Americans should be empowered to choose whom they trust. A free market approach where all solutions are held accountable to the same stringent government standards will increase innovation, security, and access. This ultimately benefits both American consumers and government agencies.
We believe the paper focuses too narrowly on testing for equity. All components of the identity verification flow should be tested for equity. The paper calls out facial recognition specifically, but this is just one step in a broader flow. Decisions about which tools to use should be made with an understanding of how methods perform relative to each other. Once researched, policy makers can focus on the most inequitable components of identity verification.
Now is a pivotal moment for the U.S. economy as fraud that surged during the pandemic is now moving to other sectors such as fintech and banking. The paper will be helpful in shaping the upcoming Executive Order focused on preventing fraud and protecting American consumers.