Cybersecurity training for the average employee of any organization will tell you that cyber breaches are almost always the result of a lack of vigilance. One employee doesn’t notice the suspicious email address, clicks a link, and sets in motion a chain of events that ends with millions of people enrolled in identity theft protection.
But most people aren’t cybersecurity experts, or even passingly conversant. As cybersecurity requirements trickle down to the user level, security fatigue becomes a problem. Lack of understanding, fatalism about the inevitability of a breach, or even sheer laziness can lead people to reusing passwords and skipping the two-factor authentication. For people to use a cyber solution, it has to be easy enough for the layman to understand without difficulty.
“Balancing ease of use and strong security is especially important now,” said Phil Lam, the executive director of Identity at the General Services Administration’s Technology Transformation Service. “When we think about digital identities, we view them as a mechanism for the public to more easily and safely engage with government.”
Security questions are outdated as a method for establishing identities in the modern environment. Much of that information – mother’s maiden name, previous addresses, childhood pets — can be found by cruising social media profiles. On the other hand, biometrics have potential as a much more reliable way of establishing identity, if their use can be standardized.
In fact, biometrics can be used in a way that mirrors physical security standards, such as those involved in the Common Access Card (CAC) process. Some new possibilities that are starting to see use are matching user selfies with on-file photos, and proofing – matching fingerprints on a mobile device with those collected in-person at a government facility, such as the DMV.
But different levels of identification are required for different levels of access. Proving identity can be necessary for full access to services or networks, like in the case of an employee or frequent customer. But surface interactions or infrequent contact, such as sending a one-time user comment or satisfaction survey, may just require the user to prove they’re not a bot.
Federal agencies need to apply risk management approaches to identity verification and authentication. Frequency of interaction needs to be considered, and the friction encountered by users needs to be proportional to risks.
One example of balancing ease of use with security is Login.gov, which allows citizens to access a number of participating government services online through a single portal, rather than having to create and verify an identity for each agency. It’s standardizing customer experience across government while being easy enough that it doesn’t provide a barrier to use.
Some agencies are taking this a step further, envisioning blockchain-based solutions for communities with similar services that can share digital identities and verifications. As long as these are trusted partners, one agency can piggyback off the verification work that’s been done by another agency. That provides a certain level of trust, and doesn’t require someone to verify identity in person to match up with their digital identity every time.
Mobile devices present both potential vulnerabilities and solutions in identity verification and authentication. They’re particularly vulnerable to intrusion, but provide agencies with additional vectors to match digital to physical identities.
“Knowing that you’ve seen a particular device before and that it is a trusted device is an important signal,” said Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions. “It changes the way you’re going to do your decisioning around that transaction that’s coming in remotely.”
Through biometrics, device ownership can be tied back to a person. Facial recognition, fingerprints, even gait analysis – the motion of the device as someone walks with it on their person – can indicate whether it’s in the possession of the person it belongs to, or whether it’s been stolen.
Likewise, usage can indicate whether the interaction is with a human or a bot. Certain anomalies in patterns of device usage, like location data, can raise red flags. If someone spends six months accessing services from Northern Virginia, and then suddenly location data indicates they’re in China, that indicates a potential threat that warrants investigation. Likewise if their usage occurs consistently between 9 a.m. and 5 p.m., and then they suddenly access services in the middle of the night.
“The importance is being able to tie the identity to the threat or risk so that the government agency can make the appropriate risk decisions, whether it’s on the eligibility or a go/no-go for getting into a system,” said Andrew McClenahan, solutions architect at LexisNexis Risk Solutions.
Ultimately, any security solution is only secure as long as people will use it. Agencies should take a risk management approach to determining the right amount of security for any particular interaction, and the most frictionless way to implement it.