David Temoshok Director, Identity PolicyManagement GSA Office of Governmentwide Policy November 21,

1
David TemoshokDirector, Identity
Policy/ManagementGSA Office of Governmentwide
Policy November 21, 2002
E-AuthenticationMaking Trust Possible
Authentication The Need for Trusted Credentials
2
Defining Identity Management

• A set of policies and supporting processes and
  infrastructure, for the creation, maintenance,
  and use of identities and their attributes,
  credentials, and entitlements
• Involves policy, technology and process
• Must enable enterprises to create a manageable
  life cycle
• Must scale from internally facing systems to
  externally facing applications and processes
• Goal state general-purpose infrastructure and
  authoritative sources, clean integration across
  people, process, and technology

3
The Challenge for Identity Management

• Todays identity management systems are ad
  hocracies, built one application or system at a
  time
• Apps, databases, OSes lack a scalable, holistic
  means of managing identity, credentials, policy
  across boundaries
• Fragmented identity infrastructure Overlapping
  repositories, inconsistent policy frameworks,
  process discontinuities
• Error prone, creates security loopholes,
  expensive to manage
• The disappearing perimeter has put identity on
  the front burner
• Infrastructure requirements extend reach and
  range
• Increased scalability, lower costs
• Balance of centralized and distributed management
• Infrastructure must become more general-purpose
  and re-usable

4
Gateway Authentication Support for e-Gov Services

• Authentication The process by which an entity
  (such as a person or a computer system)
  determines whether another entity is who it
  claims to be.
• Authentication is different from authorization.
  
• Proper authentication ensures that a person is
  who he or she claims to be, but it says nothing
  about the access rights of the individual
• Authorization grants access rights, but says
  nothing about who you are.
• The Gateway provides for authentication, not
  authorization.

5
U.S. Identity Credentials -How do we know who
you are?
Personal Information Address - Home,
Business Telephone - Home, Business Mobile Genealo
gy - Parents, Relatives References - Friends,
Associates Employment - past/present
Material Relationships Financial Services Bank
accounts Credit card accounts Loan
accounts Insurance Investment accounts Tax
Authorities Federal, State, local Asset
Ownership Vehicles Real estate Other Utilities Edu
cation, Civic groups
Out of Wallet Information User ID,
Passwords Recent Transactions
Government ID/Credentials Birth
Certificate Social Security Number Passport Driver
s License/ID Taxpayer/employer ID Immigration
Identification Military Service Number
Public ID Commercial Digital Certificate Loyalty
Cards Civic, Community - Library
6
Identity Management Communities -Who do you
Trust?
Governments DMV, AAMVA Illinois PKI Washington
State PKI EBT Government of Canada and U.K.
Federal Government Social Security
Admin. GSA/DOD - Common Access Card GSA -
ACES DoD, NASA, NFC - PKI Transportation
Security Administration - TWIC INS State
Department Veterans Affairs Dept. Education
Trust Network (Gateway)
Higher Education CREN PKI Higher Education PKI
Bridge
Transportation Industry TWIC Aviation Maritime Rai
lroad Trucking
Healthcare California Medical Association Med
e-Pass WGA Health Passport
Financial Services Industry Identrust/DST VISA/Ma
stercard
7
Authentication Technologies and Credentials

• Something you know ( but a stranger is unlikely
  to know)
• User ID/Passwords
• Knowledge-based authentication
• Social Security Number, Password, place of birth
• Something you possess
• Smart Cards - Card-Based identification
• Public Key Encryption - digital certificates
• Drivers license, private key
• Something you are
• Biometric Profiles
• Policy-Based Credentials
• Public Key Encryption - digital
• certificates

8
Gateway Functional Scope in Authentication
Process

• Credentials
• Identity Documents
• Biometrics
• Other Credentials

Gateway Functional Scope
Request Permission to Conduct the Transaction,
Activity or Access
Establish quality of credentials
New Credential
Enrollment
Verification
Allow or Reject Transaction
Validate Credentials
Authorization

Establish Permission to Conduct the Transaction,
Activity or Access
Establish Level of Authorization
Authorize Transaction
9
Transaction Focus for the Gateway

• What credentials/level of authentication
  assurance are needed for the agency application?
• What credentials are needed during the
  transaction process?
• Are the credentials valid?
• Can credentials be effectively verified at the
  transaction stage?
• Can different forms of credentials be trusted for
  common assurance levels?

10
How Well Does It Work?

• Metrics
• False Positive an imposter is authenticated
  and/or granted access to the system
• False Negative a valid user is not
  authenticated or is denied access to the system.
• Estimated 20 of state-issued credentials are
  fraudulent
• Shared secrets are a problem too
• To improve the numbers and raise the assurance
• Improved credentials
• Multi-factor authentication
• Cost becomes a major factor.

11
Very

High
AuthenticationCost/Risk/Benefit Analysis
High
Medium
Increased Cost
Moderate
Low
Getting an Official ID
Applying for a Loan Online
Access to Protected Website
Surfing the Internet
Employee Screening for a High Risk Job
Increased Need for Authentication Assurance
12
Authentication Interoperability and Federation

• What is federated identity management?
• Agreements, standards, technologies that make
  identity and entitlements portable across
  autonomous domains
• Relying parties dont need prior knowledge of
  complex system internals or pair-wise mappings
  between systems
• Federation standards define rules that bind
  autonomous domains to a common method of
  exchanging identity information
• Federation standards provide framework for
  negotiating agreements, defining interactions
• Heterogeneous systems can map to the federation
  standards by applying transformations at the
  boundaries between domains
• Relying parties can honor each others decisions
  and trust each others assertions, but in the
  context of their own local policies

13
Welcome to the Real World

• Unrealistic expectations are a huge problem
• People want immediacy and safety with personal
  autonomy and control
• They want personalization without surveillance
• They want security and privacy without any
  inconvenience, loss of immediacy
• Privacy Concerns are Real

• Credentialing generally raises privacy concerns,
  better credentialing makes these concerns bigger
• When are anonymity and pseudonymity appropriate?
  
• Mission creep
• Basic conflict with the policy message people
  are told that the key to security is less data
  and more control

14
Going About the Job of e-Authentication

• Authentication is very hard to do right.
• There may not be conflicts between security and
  privacy, but there are definitely conflicts
  between security and convenience.
• It is easier to create a perception of security
  rather than real security, and limits on
  credentialing complicate the process.
• Risk management requires difficult, uncomfortable
  cost-benefit analysis.
• Authentication processes must recognize and
  reflect limitations of credentialing.
• Mission creep has to be managed
• Focus on the problem we are trying to solve --
  identity and access management solutions
• One tool or even one suite wont solve all
  identity and access management problems
• Its not a system, but a pervasive infrastructure
• Plan carefully, but be flexible and ready for
  change

15
For More Information

• Phone E-mail
• David Temoshok
  david.temoshok_at_gsa.gov
• 202-208-7655

Websites http//cio.gov/eauthentication http//cio
.gov/fpkisc http//cio.gov/fpkipa http//egov.gov