When the General Services Administration’s 18F organization announced it was taking on the long-standing challenge of identity authentication and credentialing for government services, my first thought was “here we go again.”
Another group thinking they could find the answer to a challenge that three other attempts before them struggled to come up with.
It’s not a matter of building the killer app for citizens, and eventually businesses and other government organizations, to securely log into federal services, but it’s building an online approach that people trust, find easy to use and recognizes and uses existing private sector practices.
Through Login dot gov, 18F plans to build a platform for users who need to log in to government services. They say they plan to work with the National Institute of Standards and Technology, the Office of Management and Budget and GSA’s Federal Acquisition Service.
Insight by the Anomali: Justice Department, DODIN, DHS and IT-ISAC explore cyber threat intelligence in this free webinar.
“Every consumer-facing service the government offers will benefit from this platform, enhancing the privacy and security of online interactions for the public and for agencies,” 18F wrote in its blog post. “To build this login platform, we’re using modern, user-friendly, strong authentication and effective identity proofing technology. This new platform will leverage the extensive lessons we’ve gained from agency efforts in the past, including lessons learned from our counterparts in the UK who built GOV.UK Verify.”
And there are a lot of past history lessons to learn from.
Most recently, GSA and the Postal Service teamed on developing the Connect dot gov platform. A GSA spokeswoman confirmed the Connect dot gov pilot would be ending. The Postal Service declined to comment on the status of Connect dot gov.
Another recent pilot that is ending is the MyUSA platform, started in 2014 by 18F as an approach to register, sign-in and manage digital interactions with the government.
Before these two tests, GSA also tried to solve the identity management puzzle through an initiative called E-Authentication in the 2000s, and in the late 1990s through something called the Federal Bridge—both found minimal success in making it easier for agencies to adopt secure, online transactions.
An industry expert, who requested anonymity because their company does government business, said the fact this type of effort has struggled greatly over the past 15 years should be a warning sign 18F should consider.
“It looks like they are trying to create their own identity credentialing effort and it’s unclear if they will use third party credentials,” the source said. “Maybe a government option is good, but not if it’s the only option. I think the focus on the government to citizen is good where Connect dot gov was doing every part of the sector. My concern is what information are they collecting and keeping and secure with safeguards around it.”
The source said agencies were starting to use Connect dot gov at lower levels of security so this is almost like starting over again, which is frustrating for many agencies.
A GSA spokesperson said part of the reason for the new project is Connect dot gov was too hard to use.
“Connect.gov and MyUSA were platforms that were built as pilots to determine how we could best solve the identity problems for both the public and for individual agencies,” said a GSA spokesperson in an email to Federal News Radio. “Both of those pilots are coming to a close and have allowed us to learn how to build an identity platform to scale. The pilots and the identity solutions within individual agencies have both given us a great starting point, and we expect to continue to learn and iterate as we build the next generation identity platform.”
Jeremy Grant, the former director of the National Strategy for Trusted Identities in Cyberspace (NSTIC) program and now a managing director with the Chertoff Group, said he’s hopes GSA’s efforts succeed.
“Connect dot gov was never about a technology, it was about the idea that citizens should not have to prove that they are not a ‘dog on the Internet’ every time they go online, and that by solving that problem, government could enable agencies to launch a new wave of high value digital services for the American people,” he said. “The next wave of digital government applications can’t happen without this.”
Grant may have highlighted the biggest reason why 18F will be successful or could fail.
18F must go against its reputation—deserved or not—that its developers believe everything that came before them was “crap” and they are the smartest people in the room.
Whether it’s Connect dot gov or the 2011 memo from former federal CIO Steve VanRoekel calling for agencies to take advantage of third-party credentials, 18F should build on the existing infrastructure, policy and understandings that agencies hold.
Remember it’s not just citizens who have to find Login dot gov easy, but agencies have to accept it too.
The GSA spokesperson said 18F wants to use third-party credentials, but is unsure of its plan yet.
“We’re evaluating the right way to use this feature but want to make sure it doesn’t confuse people,” the spokesperson said. “Previous attempts at using third party credential providers by Connect dot gov led to user confusion. We’re making these decisions to maximize security, usability, and privacy.”
Grant said the use of third-party credentials was as key success factor in the United Kingdom’s initiative.
“That enabled them to build a great partnership with the private sector to deliver the program. In the U.S., GSA has recently pivoted from this approach – I’m now getting a lot of questions from the firm’s that had gone through the exhaustive and expensive process GSA established for getting their solutions accredited for government use,” he said. “The private sector partners are asking whether they are still partners, whether there is still a place for them in this government identity ecosystem. In the UK, they know where they stand; in the US, not so much now. GSA may have reasons for this, but when a decision is made to change horses midstream — abandoning their original approach — that equates to a conscious decision to push back delivery of a real solution agencies can use to start offering more high value, citizen-facing digital applications.”
18F also has to get buy-in from several agencies quickly to spread the Login dot gov concept across a wide breadth of users because if vendors see agencies heading down their own paths with online transactions, traction will be minimal.
This factor was an important success metric for the U.K. Grant said in the U.K., the Prime Minister’s office empowered the Government Digital Service team to shut down any programs that duplicated their efforts.
“In contrast, in the US, while the White House indicated that all agencies should use the shared service, there has not been any real consequences for agencies that go their own way,” Grant said. “So U.S. efforts depended more on a ‘coalition of the willing’ when it comes to agencies adopting this approach. And that makes things go slower.”
So the other key ingredient is how much political capital OMB is willing to spend on this project?
The GSA spokeswoman said 18F plans to integrate multiple agencies to the platform by the end of this year.
One positive aspect of the program is 18F is smart enough not to try to “eat the apple in one bite” and go after only the citizen-to-government piece first. But at the same time, it’s also the biggest hurdle to overcome to gain the trust and use of the platform.
Maybe the business-to-government portion would be a better starting place as there is a larger degree of trust and comfortability of sharing information between the two sectors.
Really no matter the path 18F takes, it’s clear if they do not understand and listen to those who have come before them and failed, they too will suffer the same fool’s fate.