220 likes | 360 Views
Identity in Cyberspace: Improving Trust via Public-Private Partnerships Jeremy Grant Senior Executive Advisor, Identity Management National Institute of Standards and Technology (NIST). Why We’re Here Today. Learn about the National Strategy for Trusted Identities in Cyberspace (NSTIC)
E N D
Identity in Cyberspace: Improving Trust via Public-Private Partnerships Jeremy Grant Senior Executive Advisor, Identity Management National Institute of Standards and Technology (NIST)
Why We’re Here Today • Learn about the National Strategy for Trusted Identities in Cyberspace (NSTIC) • Discuss how a government initiative can help taxpayers and return preparers improve online trust, reduce fraud and create enhanced customer experiences • Discuss the role your firm can play in advancing the use of Trusted Identities in Cyberspace
What is NSTIC? • Called for in President’s Cyberspace Policy Review (May 2009): a “cybersecurity focused identity management vision and strategy…that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation.”” • Guiding Principles • Privacy-Enhancing and Voluntary • Secure and Resilient • Interoperable • Cost-Effective and Easy To Use • NSTIC calls for an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”
The Problem Today • Usernames and passwords are broken • Most people have 25 different passwords, or use the same one over and over • Example: reuse of IRS PINs is prevalent • Even strong passwords are vulnerable…criminals have many paths to easily capture “keys to the kingdom” • Rising costs of identity theft • 11.6M U.S. victims (+13% YoY) in 2011 at a cost of $37 billion • 67% increase in # of Americans impacted by data breaches in 2011 (Source: Javelin Strategy & Research) • Indications of extensive and increasing tax fraud through ID theft • Burden: taxpayers cannot remember how to eFile From the 2011 ETA AC Report: “A 15 – 20% [return] reject rate is unacceptable . . . The most notorious cause of rejects is the current identity proofing mechanism – the AGI/PIN signature.” • Improved Security and Ease-of-Use Needed
The Problem Today 2011: 5 of the top 6 attack vectors are tied to passwords 2010: 4of the top 10 Source: 2012 Data Breach Investigations Report, Verizon and USSS
The Problem Today • Identities are difficult to verify over the internet • Numerous government services still must be conducted in person or by mail,leading to continual rising costs for state, local and federal governments • Electronic health records could save billions, but can’t move forward without solving authentication challenge for providers and individuals • Many transactions, such as signing an auto loan or a mortgage, are still considered too risky to conduct online due to liability risks Rob Cottingham, June 23, 2007 New Yorker, September 12, 2005 New Yorker, July 5, 1993
The Problem Today • Privacy remains a challenge • Individuals often must provide more personally identifiable information (PII) than necessary for a particular transaction • This data is often stored, creating “honey pots” of information for cybercriminals to pursue • Individuals have few practical means to control use of their information
Trusted Identities provide a foundation • Enable new types of transactions online • Reduce costs for sensitive transactions • Improve customer experiences • Offer citizens more control over when and how data is revealed • Share minimal amount of information • Fight cybercrime and identity theft • Increased consumer confidence
Vision: January 1, 2014 The Identity Ecosystem: Individuals can choose among multiple identity providers and digital credentials for convenient, secure, and privacy-enhancing transactions anywhere, anytime. Online shopping with minimal sharing of PII File taxes online with e-signature Cost-effectiveand easy to use Privacy-enhancing Secure Interoperable Trustworthy critical service delivery Secure Sign-On to state DMV website Security ‘built-into’ system to reduce user error Privately post location to her friends
Reduce Fraud with Strong Authentication • Federal Identity, Credential, and Access Management (FICAM)Certified “Level of Assurance 3” (LOA3) credentials for authentication provide the “high confidentiality in the asserted identity’s validity” which is required for eFiling and other IRS applications* • Certified LOA3 credentials can be issued online • Two-factor authentication leverages “something you have” like a smartcard, cell-phone, thumb-drive, or computer, with “something you know” like a PIN or password. • Example: ATMs use two-factor authentication An ID thief would have to physically possess the credential device as well as the PIN or password, hugely crippling their capability and preventing ID theft upfront. *OMB Memorandum 04 04/NIST Special Publication 800-63
Verizon Universal Identity Service (UIS) The only current commercial provider of FICAM-certified credentials that provide LOA3 “high confidence in the asserted identity’s validity” as well as LOA2 “some confidence.” • Verizon certified to do the ID proofing, credential issuance, and online authentication, plus optionally the verification of other-party approved credentials. Other credential providers in the pipeline for LOA3 certification
UIS Online Registration and Authentication • Initial online credential registration requires: • Record match of name, SSN, DOB, address, telephone # • Answer 5-question KBA quiz within 2 minutes • Possession of registered telephone to receive OTP • Once registered can provide additional devices for authentication • Authentication for each online transaction requires: • Username and password • Possession of registered device
Advantages of aligning with NSTIC and FICAM • Very fast adoption of LOA3 by public • Leverages currently owned devices in public’s hands (vs. provisioning a new physical credential) • Registration can be done on-line. • High security from Two-Factor Authentication • “Single Sign-on capability” makes authentication appealing and easy to use • Enforces privacy protection • Formally “blessed” by NIST and OMB • Agencies are specifically directed to use these solutions
Additional Benefit: Impedes Phishing • Relying party website is vetted by Identity Provider • Once Identity Ecosystem is in place, taxpayers will look for and use ID Provider’s logo for login, which will therefore hinder fraudulent sites. For instance, users of VZ UIS will look for and use the UIS logo to log into site.
NSTIC National Program Office • Charged with leading strategy and day-to-day coordination across government and the private sector in implementing NSTIC • Funded with $16.5M for FY12
Next Steps • Convene the Private Sector • Summer 2012: Create an Identity Ecosystem Steering Group • New two-year grant will fund a privately-led Steering Group to convene stakeholders, craft standards and policies to create an Identity Ecosystem • Collaborate with CERCA on authentication working group • Consider possibilities for next filing season • Offer taxpayers the option of obtaining and/or using a strong credential, integrated with your software. • May 23: White House Conference for Relying Parties • 70 major stakeholders invited, including CERCA chair.
Select Pilots NSTIC Pilot Programs $10M in grants to address barriers to implementing the Identity Ecosystem 5 – 8 awards later this summer Early Adoption by Government to Stimulate Demand Ensure agency alignment with FICAM White House Initiative: Federal Cloud Credential eXchange (FCCX) IRS and other large eGov agencies collaborating on NSTIC projects Next Steps
Questions? Jeremy Grant jgrant@nist.gov 202.482.3050 IRS / NSTIC Coordinator Richard Phillips richard.w.phillips@irs.gov 202.482.8349