Are fingerprints better than passwords for securing government systems? Where do iris scanners fit in on the spectrum of securing identities? Is it a case of apples versus oranges? That’s what the National Strategy for Trusted Identities in Cyberspace is trying to determine.
An offshoot of the National Institute for Standards and Technology, NSTIC is tasked with measuring the strength of different forms of identity management and the effectiveness of technologies that facilitate them. That’s something that NSTIC Project Manager Mike Garcia said hasn’t seen much success with until recently.
“One of the things we’ve really had a lot of success on [in 2016] is advancing that exactly: the ability to say, ‘How good of a job are you doing if you’re using a fingerprint versus a password?'” Garcia said on Identity and Access Management Month.
Although they accomplish slightly different things, Garcia said he’s pretty sure fingerprints and similar biometrics are the better security feature. But measuring the success of biometrics presents a new challenge.
NSTIC uses a framework for measuring identity security strength called SOFA — Strength of Function for Authentication.
“Overloaded as an acronym it may be, it’s still one of our favorites,” Garcia told Federal Drive with Tom Temin. “For any given type of authenticator it could be different, so our goal is actually a suite of SOFA documents over the course of years. The one we have had for some time is SOFA for secrets, or passwords more generally, where its very easy to measure the entropy of say, going from 11 characters to 12 characters, or requiring a special character. From a cryptographic point of view, it’s very easy to measure how much stronger a password is just by how much longer it would take to attack it with a brute force way of guessing what a password is.”
Ultimately, NSTIC wants to expand the SOFA framework so that different items, like passwords and biometrics, can be compared more directly. But where passwords are secrets that have to be protected from careless or coerced sharing, fingerprints are something people leave everywhere they go: on glasses, phones, keyboards and elevator buttons.
“We’re used to secrets and passwords, and this is very different,” Garcia said. “The real game here is about trying to develop the entirety of that biometric function.”
So NSTIC has to take a different approach in measuring the effectiveness of the biometrics, based less around secrets and more around whether a system that utilizes biometrics is functioning correctly.
“What really matters is that we trust the device that we present that biometric to as being a known device, that we prove that you’re there doing it, and that it’s not someone there replaying your fingerprint that they lifted off of something else,” Garcia said.
NIST has been working on this for years in controlled environments, such as using fingerprints when enrolling for Personal Identity Verification cards. Now it’s moving on to encouraging and enabling private industry to evaluate consumer products and measure the level of risk for federal customers.
NSTIC is currently in its fifth round of pilots, testing these concepts on the individual level in certain sectors of government.
“This year we grew from just over 2 million individuals to — at last count on Sept. 30 — just over 6.7 million individuals impacted by our pilot programs, so that scaling is really starting to happen,” Garcia said.
In August, NSTIC announced six new pilot programs, including one that experiments with bringing federal identification to health care.
It would allow both providers and patients to access information across multiple portals with a single set of credentials. This would not only encourage patient access to information, but allows providers a more holistic view of the care patients have received without creating additional burdens on doctors and nurses.
Another pilot program involves a state identification system, experimenting with digital ID cards. Standard ID cards like driver’s licenses contain a plethora of personal information that isn’t required for every use of the ID. A store clerk selling alcohol or a movie theater employee selling tickets to an R-rated movie doesn’t need access to a person’s name, address, identification number, or most of the information on the card.
Using a digital ID would involve touching a phone to a reader, similar to the way Apple Pay or Google Wallet work, and would convey only the necessary information for the transaction.
“So if a young lady walks into a bar, rather than having to reveal a whole lot of sensitive personal information to a bartender, all she has to do is tap this phone and see that there’s a picture and a checkmark [verifying she’s over 21] and that’s it,” Garcia said.
NSTIC has awarded 24 pilots like these in the past four years, but Garcia said what’s more important is the partnerships. Currently, there are more than 170 partners participating in the different pilots.
“It really is about building up this network of organizations that are taking a different approach to individual identity,” Garcia said.
And while many of these pilots are successful, some do fail. Garcia says that’s actually a good thing.
“We’ve always taken the position that some pilots are going to fail, and that’s OK,” he said. “In fact, if none of our pilots ever failed, we’re probably not taking risky enough projects. And if the government is going to put taxpayer dollars into a pilot program, they ought to be doing things that aren’t so readily successful that they could be done without government funds. Our expectation is that some will fail.”