The US Government Accountability Office (GAO), in its review of six agencies, concluded that US federal agencies need to strengthen their online identity verification processes. The full report can be found here. The GAO recommended that the National Institute of Standards and Technology (NIST) provide guidance on implementing alternative methods of verification that are available to all citizens.

The six agencies reviewed are: General Services Administration (GSA), Internal Revenue Service (IRS), Department of Veteran Affairs (VA), Social Security Administration (SSA), United States Postal Service (USPS), and Centers for Medicare and Medicaid Services (CMS).

Why the review?

The US federal government thus far has relied on consumer reporting agencies (CRAs) to help verify the identities of people who apply for government benefits online. However, the report said that the 2017 cyberattack on Equifax, one of the three major consumer credit reporting agencies in the US, which compromised the data of 143 million Americans, raised questions about reliance on commercial credit agencies/CRAs.

What is the problem with the current process?

As of now, to perform remote identity proofing, the 6 agencies GAO reviewed rely on CRAs to conduct knowledge-based verification. From the description in the GAO report, and from having gone through USPS’s knowledge-based authentication (KBA) system it is clear that these services use static KBA. Security questions (such as your mother’s maiden name, your first pet, etc.) that you choose while opening a new email account, or a bank account, are static KBA and for obvious reasons quite easy to get through. Sarah Palin’s Yahoo account was famously breached because a ‘hacker’ guessed her security answers. Dynamic KBA, on the other hand, would make use of information that only the user could have. It collates data on a user from his/her marketing data, mail, etc. and generates questions in real-time that only that user would know the answers to. The user does not know what these questions will be. For instance, for account retrieval and identity verification, USPS asks questions about which monthly magazines you subscribe to, where a particular bill is delivered, etc.

The 2017 Equifax breach highlighted how stolen data could be used to respond to knowledge-based verification questions. As a result, National Institute of Standards and Technology (NIST) issued a guidance in 2017 that effectively prohibits agencies from using knowledge-based verification for sensitive applications.

Alternatives ‘may not be viable for all’

There are other methods that provide stronger security, such as remote assessment of physical credentials (asking the user to take a picture of their physical credential with their mobile, and compare the image to the document on file), and verification of mobile device possession. However, the report points out that “these methods may have limitations in cost, convenience, and technological maturity, and they may not be viable for all segments of the public”. Officials pointed out in the report that not all applicants have mobile phones that can be used to verify their identity.

Status quo of the agencies

  • GSA and IRS: Have begun “using alternative methods for remote identity proofing for their Login.gov and Get Transcript services that do not rely on knowledge-based verification”
  • VA: “Implemented alternative methods for part of its identity proofing process but still relies on knowledge-based verification for some individuals”
  • SSA and USPS: “Intend to reduce or eliminate their use of knowledge-based verification sometime in the future but do not yet have specific plans for doing so”
  • CMS: “No plans to reduce or eliminate knowledge-based verification for remote identity proofing”

The report asserted that “until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud”.

Problems with NIST guidance

  • No direction to agencies on how to successfully implement alternative identity-proofing methods with currently available technologies for all segments of the public
  • No discussion of the advantages and limitations of currently available technologies or make recommendations to agencies on which technologies should be adopted
  • Doesn’t seem to take into account the limitations in available technologies for implementing alternative identify proofing methods

Role of the Office of Management and Budget (OMB)

OMB is the largest office within the Executive Office of the President of the United States. Its main function is to produce the President’s Budget, but the Federal Information Security Modernisation Act of 2014 (FISMA) requires that OMB oversee federal agencies’ information security practices.

  • Despite having the authority to issue guidance, OMB has not issued guidance requiring agencies to report on their progress in implementing NIST’s recommendations.
  • OMB staff plan to issue guidance on identity management at federal agencies, but their proposed guidance does not require agencies to report on their progress in implementing NIST guidance.

The report concluded that without NIST’s additional guidance that helps agencies move away from KBA, and OMB’s demand to see reports from agencies on their progress, “federal agencies will likely continue to struggle to strengthen their identify proofing processes”.

GAO recommendations

  • CMS, SSA, USPS, and VA must develop plans to strengthen their remote identity proofing processes by discontinuing knowledge-based verification. (SSA, USPS, VA agreed; CMS disagreed as alternatives wouldn’t work for individuals it serves.)
  • NIST supplement its technical guidance with implementation guidance to assist agencies in adopting more secure remote identity proofing processes. (NIST agreed.)
  • OMB issue guidance requiring federal agencies to report on their progress in adopting secure identity proofing practices. (OMB gave a technical comment, but made no comment on GAO’s recommendations.)

Lesson for India

In the absence of a coherent legal framework that can protects citizens’ personal data, India needs to err on the side of caution while implementing its digitalisation policies. It cannot continue to run headlong into offering digital-only government services without taking into account the lack of basic infrastructure that buttresses a digital society. Even an industrialised nation like US recognises this. Given the population of India, the big data that is generated here is of immense value to both companies and hackers. It is necessary to implement regulation, to institute laws, and to effect technology practices that safeguard people’s personal data.