This week, we’re pleased to share this guest post from Patrick Hearn, expert in identity management and CEO of Endeavor Worldwide. Endeavor Worldwide is an international advisory firm that brings together senior company executives and government leaders, with specialty focus in Converged Identity Management, CyberSecurity and Industry 4.0.
Identity is no longer just about how we define ourselves or how we’re represented on the ID cards in our wallets. All the talk of privacy politics has made that clear. Instead, identity is now about the data we provide via our interactions with banks, utility providers, educational institutions, e-retailers, social media platforms and the government.
The problem is that a lot of the information used for identity authentication is available for pennies on the dark web. Endless data breaches have resulted in more than 15 billion records being stolen over the last six years. Synthetic identities, made from a combination of real and fabricated identifying details, are prolific as well. Most alarming, though, is that government agencies continue to assign and authenticate identity based on static information. That needs to change.
The Problem with Static Identity Information
Government agencies rely on static information to verify identity, including your name, date of birth, Social Security Number and the street you grew up on as well as your username and password for their online accounts. They also rely on this information to provide government benefits, manage the tax system and control access to networks – which means that, if it ends up in the wrong hands, a lot of taxpayer money is at risk. In fact, losses from Medicare and Medicaid, the IRS, Social Security and other government programs totaled $100 billion in 2016 alone.
In the private sector, losses of this magnitude would result in shareholder revolts, leadership overhauls and screaming headlines across every major media outlet. But when it comes to the government, the response continues to involve hiding behind standards that were created a decade ago and pointing the finger at various agencies for their own lack of progress.
Take, for example, the government’s reliance on the National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines. In these guidelines, risk-based/adaptive systems are not considered valid authenticators – even though the private sector has adopted and implemented risk-based systems to separate good from bad actors.
Meanwhile, criminals, who do not base their “business plans” on federal rules and cybersecurity recommendations, will continue to profit by exploiting the current weaknesses in federal government standards, namely those inherent in the NIST’s publications.
Contrast this with Europe, where open banking guidelines specify Strong Customer Authentication elements, including not just passwords, PINs and device verification, but also biometrics.
The government is only now beginning to recognize and address its oversights and missteps. The White House recently published a memorandum redefining standards and principles to improve identity management within and outside the federal government. The task now is to reconcile this with NIST standards, most notably an outdated standard on Digital Identity Guidelines.
Moving forward, this is going to mean adopting a risk management perspective, enhancing federal agencies’ use of a redefined digital identity and the user credentials derived from it, and going “beyond the perimeter” in managing identity, among other changes. It will mean re-aligning budgets.
A New Approach to Managing Digital Identity Is Needed
There are ways to fast-track and solve the problems in our identity system that can also enhance our government’s service to its citizens. The private sector has implemented newer, more dynamic systems that experience fraud levels less than a tenth of those of the federal government’s, and also deliver a better user experience.
In the private sector, a new concept of digital identity is already a working reality. Large financial institutions use technologies like behavioral analytics (analyzing a user’s journey through their website) or artificial intelligence and machine learning, which are embedded in an innovation called behavioral biometrics (analyzing user-device interactions such as mouse movements, scrolling patterns and website familiarity, among thousands of other parameters), to ensure that new applicants for credit cards and insurance policies are not using stolen or synthetic identities.
Big banks also use these tools to ensure that people are who they claim to be when they access their online accounts and to prevent malicious actors from taking over online sessions after the legitimate user logs in.
Likewise, for the federal government, a new notion of digital identity needs to be based on the same seamless and frictionless consumer experiences. It needs to be dynamic and portable, not device or location-dependent. It needs to incorporate, not just imitate, unchanging personal attributes, meaning our physical and digital footprints, reflecting the “normalcy” of our habits and the characteristics of our human-device interactions. All of this needs to occur while keeping privacy as a core tenet of its design.
The new digital identity must also constantly recalibrate and get smarter over time, just like the criminals do. This kind of modern digital identity has already been shown to safeguard billions of transactions on hundreds of millions of smartphones, laptops and other devices.
If the government continues to rely on outdated policies and use a static framework of identity, we will continue to accept bad actors stealing taxpayer dollars and allow high levels of monetary and privacy risk to enter our overall economy. It is imperative that we move beyond static identity and adopt a new digital identity paradigm for the impending data-driven decade.