State Governments Increasingly Making Use of Online Authentication Tools
Government is raising its expectations. While it hasn’t been uncommon in the past for governments to consider money wasted by fraud, mismanagement or inefficiency as an expense of doing business, times are changing. New technologies are preventing such waste and initiating cultural change in the public sector. At the Florida Department of Children and Families (DCF), that transformation is being realized through the adoption of an online authentication tool the agency is using to ensure that the benefits it issues, like food assistance, are going to the right people.
Such incarnations of online authentication technology are sprouting up in state government agencies around the country, led by a White House vision of a new, central form of identification, what some are calling “a driver’s license for the Internet.”
The DCF reported that in 2013 it saved about $14.7 million through the use of an online authentication tool, with an initial investment of about $1 million and a total contract of just under $3 million. The tool and subscription service was purchased from LexisNexis and operates similarly to the systems used by financial institutions to verify the identity of loan or mortgage applicants. Now when people apply for various programs online, they are prompted with identity verification questions about their previous employers or the names of streets where they lived.
The DCF says the technology is saving so much money because it saves staff the time of verifying identities manually, and even better, there’s been a reduction in cases of identity fraud.
The agency began its move to online services in 2012, said Andrew McClenahan, director of the Office of Public Benefits Integrity at DCF. “It’s changing the way that people are looking at public assistance fraud and how to maintain the integrity of these public benefits systems," he said. "[It’s] changing the mindset that fraud is no longer considered a cost of doing business. These modernizations, data analysis and predictive modeling and now this customer authentication tool that works with identity verification, these are all realities that we as a state and other states are having to face, and I think it’s here to stay.”
The move away from authenticating people in person began two years ago when the state started centralizing its physical offices to one per county. That move, McClenahan said, prompted more online usage, but also introduced a new problem: The state had no reliable way of verifying identity online and the result was a lot of waste – wasted time and wasted benefits issued to illegitimate applicants. So the agency began piloting the system in Orlando, and in August 2013, the system was spread throughout the state.
It was important to get away from the old model, McClenahan said, and it’s easy to see why. Fraud and abuse of government services in general has been common for years, and especially so in Florida. In 2007, federal officials randomly visited 1,600 businesses in Miami that had billed for “durable medical equipment” and found that 481 of those businesses didn’t even exist, accounting for $237 million of fraud in just one year.
In 2012, the attorney general announced that the Medicare Fraud Strike Force had arrested more than 100 people, including doctors, nurses and other health professionals, accounting for more than $452 million in fraud across seven cities.
These instances of fraud, enabled for decades by a lack of government oversight or technological wherewithal, has cost taxpayers untold sums. In 2010, the Government Accountability Office released a report in which it identified $48 billion in “improper payments” for the previous year.
But, of course, fraud doesn’t only happen in Florida. In 2011, the White House started looking at the issue differently when it released the National Strategy for Trusted Identities in Cyberspace (NSTIC). The program outlines a framework for an online identity verification system that would attempt to reduce fraud, while creating a convenient way, federal officials say, for Internet users to prove their identity, without the need to remember passwords. The New York Times called it “a driver’s license for the Internet.” Even better, the White House reported that such a system would improve the Web economy by bolstering public confidence in security and authentication of online businesses and services.
In fall 2013, the National Institute of Standards and Technology (NIST), the agency overseeing the program, awarded $1.3 million and $1.1 million in pilot funding to Michigan and Pennsylvania, respectively. Rather than develop entirely new systems or even some form of comprehensive Internetwide identification system, the implementations in each state look at how existing systems can be used to simplify authentication across departments. These pilots are just the beginning – NIST is awarding pilot funding to 10 additional organizations, which will be announced in August.
Pennsylvania is developing an implementation that would allow users to operate a single identity across state departments, rather than requiring users to manage usernames and passwords for each department, which is the case today. In a pilot scheduled to run from this spring through September, Deloitte will bridge various departments and agencies, each of which would require varying levels of authentication on behalf of the user, according to GCN. For example, if a user only wants a fishing license, he could simply authenticate his identity at a low level, but if he later wanted to use that same online ID for welfare benefits, he would need to raise the authentication level by providing more information in order to access those services. But he would only need one set of credentials to access any state service.
In a pilot scheduled to run May to September, Michigan will use the funding to establish an online authentication system for residents who use its MI Bridges portal to access services like food and cash assistance programs, the same kinds of services for which Florida developed its authentication system.
Identity verification for MI Bridge is done manually today using several different types of identity proofing to verify each applicant. For that reason, there's little fraud in that program, according to an agency spokesperson. However, reducing the work needed to verify the identity of an online user could save the agency money.
Michigan's project is expected to operate similarly to the system that was launched in Florida’s DCF, asking the user various questions similar to what might be seen during an online application for a mortgage or loan.
The success of the NSTIC pilots will be determined by analysis conducted by nonprofit RTI International, funded with $300,000 from NIST. The organization will compare the efficacy of the new system compared to the old manual processes of identity verification. If the pilots are successful, they could end up being the first step toward a single set of standardized credentials that Internet users provide to prove who they are.
Identify Verification for the Web
A single ID that can be used across the entire Internet is an idea that has been talked about for a long time, and since the 1980s, the technology world has known that the password model is inadequate, said technology analyst Rob Enderle. A single set of credentials that could be used to verify identity would be far superior to what's used today, he said, and the National Strategy for Trusted Identities in Cyberspace would lead the Internet toward that goal.
“Given that we don’t have that on the Web and there is a substantial amount of fraud and identity theft going to the core of it, having a validatable ID is, you would think, a very high priority,” Enderle said. “It should be a higher priority than it is.”
This isn’t just a good idea, Enderle said, it’s a necessity. “If you can’t create a method to ensure a person is who they say they are, then you really can’t secure bank accounts, identities, anything that’s done on the Web,” he said. “Moving to something else would seem to be decades overdue.”
Though the White House created the program to begin research around such a system, the government is generally not good at developing these kinds of technologies or working within a fast timeframe, Enderle said – a successful technology like this needs to come from the private sector.
“It has to be driven by the market. Remember, we were supposed to be on the metric standard decades ago and we aren’t,” he said. “There have to be some penalties involved for not doing it. I think after a couple major breaches where the liability is passed to the organization that didn’t properly assure the identities of the people that were accessing it, that motivation will probably drop into place.”
The technology for this is here, Gartner analyst Avivah Litan said, it’s just a matter of getting the market properly aligned. “People have been talking about it for years,” Litan said. “The main issue is you have to get identity providers standing behind it and backing up the identities, and you have to solve the business model. In other words, if they get the identity wrong, who’s liable? It’s a great concept, but it hasn’t taken place because no one’s willing to be the identity provider or issue the identity. It’s not a technology issue, it’s a business issue.”
Proposed legislation in the United Kingdom shows that the market is demanding better authentication online, not just to curtail fraud, but to restrict access to certain content. The proposed law would require that websites hosting adult content take better measures of authenticating age than just using the honor system. The Children’s Online Privacy Protection Act is the existing legislation that requires U.S. websites hosting adult content to require the user to enter an adult’s age before proceeding, a standard that websites in other countries also have adopted. But the problem is that it simply doesn’t keep young users out. A quick lie is all that’s needed to proceed. The thinking behind the proposed legislation is that the rules that apply offline should also apply online.
Not everyone thinks a driver’s license for the Internet is a great idea. Lee Tien, senior staff attorney with the Electronic Frontier Foundation, is skeptical whether the government’s main motivation with such a program would even be fraud prevention – and not tracking.
“We think it’s a terrible idea,” Tien said. “The main substantive issue is that much of what we do on the Internet is plain old speech: writing comments, posting on blogs or whatever. And one of the things about speech in the United States, especially under the First Amendment of the Constitution, is that you have a right to speak anonymously. The EFF has long believed that it’s really important to preserve and protect that right to speak anonymously on the Internet. Any mandatory type of ID online runs really directly counter to that.”
Even a voluntary online ID could be problematic, Tien said. If the ID became popular, it could still become a de facto requirement that people would need to access a variety of services, and the result, again, would be loss of privacy and anonymity. The thing that’s unclear about such a solution, he said, is how this form of authentication would prevent various types of fraud in a way that others cannot. If there is a difference, Tien said he doesn’t know what it is.
“One of the great things about modern cryptography is that if it’s implemented well, you can have highly secure transactions, and you can have cryptographic proof for verification as to whether or not a person is or isn’t who they represent themselves to be in a mathematically secure manner,” he said. “A lot of times the issue is not fraud. The issue for government is that they want to track, regardless of fraud.”