OpenID federated identity framework set for .gov authentication pilot

A government authentication test of the OpenID identity framework could usher in the beginnings of the "identity economy."

This Content Component encountered an error

Welcome to the identity economy. Last week, U.S. CIO Vivek Kundra announced a pilot program to allow individuals to authenticate themselves on government websites using an open trust framework (OTF). The technologies chosen come from OpenID or Information Card, a move that puts the substantial weight of the federal government behind frameworks that have to this point enjoyed limited adoption.

Kundra emphasized his support for more transparency and ease of use at the recent Gov 2.0 Summit. Instead of .gov websites that amount to "brochureware," Kundra said this move could allow government websites to evolve toward becoming "interactive, service-driven sites the American people can use in their own context."

"If you think about the American people as our customers, as far as access to information, they already have an account, whether it's Yahoo or Google or Microsoft or Facebook," Kundra said. "Why not leverage those platforms for services that are not sensitive in nature and services that are disposable in some ways, as far as use is concerned?"

That's a key aspect of the president's Transparency and Open Government directive, in terms of authentication, and if the program sees success in government both OpenID and Information Card (InfoCard) could be important in the creation of identity frameworks for the enterprise. Adopting this open framework is a concrete step that should make it easy for people to register and participate on government websites -- generally known as ".govs" -- without the need to create new usernames or passwords.

The involvement of multiple providers that will compete on features and ease of use is likely to catalyze competition, creating what Drummond Reed, executive director of the Information Card Foundation, calls an "identity economy." "We're going to see a long tail of identity providers just like you see portals in websites," said Reed in an interview with SearchCompliance.com.

Under the pilot program, the Center for Information Technology, National Institutes of Health and the Department of Health and Human Services will be the test beds for the identity framework program. Each will begin accepting OpenID and InfoCard credentials later this fall. The 10 organizations whose OpenIDs will be supported are Yahoo, PayPal Inc., Google Inc., Equifax Inc., AOL LLC, VeriSign Inc., Acxiom Corp., Citi, Privacy Vaults Online Inc. and Wave Systems Corp. OpenIDs that are self-hosted or on other services won't be accepted, at least at first.

"We've created a trusted framework and a trusted transaction model for the first time that I know of -- the breakthrough here is just that," said Don Thibeau, executive director of the OpenID Foundation.

Mary Ruddy, founder of Meristic Inc. and founding board member of the Information Card Foundation, explained, "We came at this from a user-centric perspective. Members of the public will be able to fully control how much or how little personal information they share with the government at all times."

If you want
to have accountability in government, you need
to have transparency.

Don Thibeau, executive director, OpenID Foundation

Given that commercial services will be used to authenticate citizens on government websites, there are some outstanding questions about why agencies didn't create their own system. "Early on, the government came to the foundations and said that we think that you can perform this function better than we can," said Thibeau. "There's also a timeliness issue. If there isn't adoption, there's the risk of a Balkanized state where the first victim is privacy. Judy Spencer said publicly at a privacy meeting that she felt it would be irresponsible for the government not to adopt OpenID. If we don't catch the genie now, we won't be able to address the issue."

Privacy, portability and user experience are significant issues for the identity framework. Some services are already collecting personally identifiable information, like health data. Security is naturally also at the top of the lists of concerns for authentication at .gov sites. "Under the OTF, the government has created a framework for schemes at four levels of assurance, defining security and privacy requirements for each," said Reed. "At level one, there is a very strong privacy requirement. If you're going to provide the service of a user going to the government agency, you won't use that as a correlatable fact."

These security, privacy, and reliability requirements are further described by the Trust Framework Provider Adoption Process on IDManagement.gov. "If you want to do Social Security, it will have to be certified at level 3," said Thibeau. "Technically, SAML [Security Assertion Markup Language] is another protocol that the government is certifying, but you have to have providers for that."

Enforcement of these provisions will sit with external auditors, although there's some vagueness about who precisely they will be. "This goes to the heart of the OTF -- as requirements published, foundations certified -- we have a program for certifying the identity providers," said Reed. "Providers have to say that they will comply, and then auditors have to certify that they have the ability to do that."

Reed added that "this is a better way of handling this than national cards. Compare this to what India is doing with a centralized system." In Thibeau's view, "that's an important difference, since there won't be a centralized database where all of this resides."

An information card presents other challenges, given that it has a physical incarnation. "It's one of the areas where there are differences in the technologies," said Reed. "With OpenID, there you're talking about identifier portability. If a user cares about that, a user can configure the provider as a delegate. With information cards, it's inherently a portable credential. Because they are portable, standard backup practices apply. If you're storing cards in the cloud, you have a backup. The cards themselves have to be portable. You have to be able to move to another one. That's been part of the architecture from the start."

Let us know what you think about the story; email editor@searchcompliance.com.

Dig deeper on ID and access management for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close