A discussion on the progress in the United States in using and establishing eID digital identity credentialing and other opportunities to use eIDs that are under consideration
by Gemalto
Trust in an identity is fundamental to our society, enabling individuals to interact with government agencies, businesses and one another. Yet in today’s technologically advanced and interconnected world, trust in and protection of identity has become increasingly problematic in the United States.
Identity theft has been the number one consumer complaint to the Federal Trade Commission for more than 10 years in a row, which estimates as many as 9 million people have their identities stolen every year. More than 535 million U.S. personal data records have been breached since 2005 when public disclosures first became required by law in California. Fraudulent use of identities costs government agencies billions; the Department of Justice estimates Medicare fraud alone is $60 billion per year.
In addition, stolen or fraudulent identities are so widely used globally in illegal drug trafficking, money laundering and terrorist financing, that policymakers mandate customer identification programs for financial institutions and other regulated companies under the Bank Secrecy Act and USA Patriot Act, while 40% of registered online identities are fake, according to industry estimates
Clearly problems with identity theft and fraudulent use of identities are rampant, and they are hurting individuals, businesses and government programs through direct losses to fraud, remediation costs and time. One of the primary factors underlying these problems is the lack of security in government-issued identity credentials. For example, Social Security cards have no security features, even though a Social Security number is one of the primary and most frequently used personal identifiers in America.
Primary documents
Driver’s Licenses issued by all U.S. jurisdictions are also a primary identification document in our society. As fraudsters continue to make realistic simulations of many of the state’s issued driver’s licenses and ID cards, little has been achieved to improve the basic document. Adding a chip to the document will exponentially increase the difficulty to counterfeit it and also bring new cost savings to states in regard to consolidating how they interact with their citizens. Presently states issue multiple identity documents to citizens for many purposes such as additional fishing, hunting, concealed carry licenses, benefits such as Medicaid, WIC, etc. All of these programs could be consolidated into one multi-application eID on the driver’s license and reduce how many times a state collects and maintains identity information. Privacy protections come with the chip technology to ensure only the minimal information required to gain access to a service is used, unlike today’s plastic version where all their PII is visually readable off the printed card to any person.
Similarly, Medicare and other health insurance ID cards lack security features, exposing all stakeholders to pervasive fraud problems. There are many government programs, however, in the United States and other countries that are protecting identity and re-establishing trust by implementing electronic versions of secure documents such as passports, national ID cards, drivers’ licenses or healthcare cards. These eID credentials are now equipped with an electronic component based on smart card technology that is either embedded within the card or – as in the case of passports – within the cover or a polycarbonate data page. eIDs provide stronger security than their conventional counterparts to prevent counterfeiting or alteration of documents and to protect citizens’ privacy and identities.
They also enable ‘two-factor authentication’ for more secure delivery of online services for eGovernment, eHealth and eCommerce. Two-factor authentication is the use of something you have — the eID — in addition to something you know — a PIN code or password — in order to access information or conduct transactions. Another eID security option is to use something you are, a biometric such as a digital picture or fingerprint, as a second or even third authentication factor.
ePassports
The most advanced eID program in the United States and the rest of the world as well is the electronic passport, or ePassport. An estimated 90 countries are now deploying ePassports with highly secure
features to prove the authenticity of the document, the presenter of the document, including their identity
and country of origin. The ePassport illustrates many of the reasons why eID credentials are more secure, and while this initiative targets national security and the global war on terror, the same technology and methods can be used to protect identities and reduce the risk of fraud in any government-sponsored program. The U.S. ePassport is the same as a traditional passport book with the addition of a small, embedded integrated circuit (or chip).
In the United States and many other countries, the chip is embedded in the back cover. The embedded chip is a secure microcontroller with advanced cryptography and built-in sensors to detect attacks. The chip stores:
- the same data visually displayed on the data page of the passport
- the passport holder picture stored in digital form
- the unique chip identification number
- a digital signature to detect data alteration and verify signing authority.
These features and the computer-chip make U.S. ePassports more secure than traditional passports. First,it provides border protection officers with a new tool to more tightly tie the bearer’s identity to the ePassport by adding the electronic version of the printed document in the chip. Second, the secure microcontroller chips incorporated into the booklet significantly increase the difficulty of passport forgery. This is because unlike traditional paper-only passports, when the ePassport is personalized and issued, the data which has been written to the chip is electronically signed using a digital signing key. This is the digital equivalent to a public notary’s seal certifying a document. Once manufactured, personalized and digitally signed, no information in the chip can be changed.
PIV and CAC cards
Perhaps the best model for how to better protect identities and establish trust with eIDs is the U.S. federal government’s own credentialing standard, the Personal Identity Verification (PIV) card issued to all federal employees and subcontractors, and the Department of Defense version, the Common Access Card (CAC). Like the ePassport, the PIV and CAC eIDs are smart cards with embedded microprocessor chips that make them highly secure and useable for many different applications.
Driven by the issuance of Homeland Security Presidential Directive 12 (HSPD-12) in 2004, the U.S. federal government has invested significant effort and resources in implementing robust, interoperable and governmentwide credentialing processes and technologies. The resulting standard, Federal Information Processing Standard (FIPS) 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, provides a framework of the policies, processes, and technology required to establish a strong, comprehensive program.
In addition to vetting identities and issuing millions of PIV cards, federal agencies have developed an infrastructure for using these interoperable credentials to support additional functions including:
- physical security, including facility access and video analytics
- logical security, including network and application access
- incident monitoring and response
- encryption and protection of sensitive data State and local governments and other organizations can leverage the federal program.
Two publications — Personal Identity Verification Interoperability (PIV-I) for Non-Federal Issuers (issued by the Federal CIO Council in May 2009) and PIV-I Frequently Asked Questions — provide states, local jurisdictions, and commercial organizations with applicable standards and guidance. The PIV framework provides a strong foundation for planning and implementing any eID program at any level of government. In addition to its strong identity security and multi-application capabilities, it has a number of advantages for any government enterprise looking to better protect individual identities and reduce losses from fraud, including: mature federal standards; supporting framework of policies, processes and technologies; availability of compliant commercial off-the-shelf (COTS) GSA approved, testing standards and laboratories at NIST and other labs; ability to use a single, interoperable and secure credential across multiple application areas.
e-Commerce
Over 150 years ago there were several competing standards for the gauge, or width, of railroad tracks. When the Federal Government funded the first transcontinental railroad in 1863, it mandated the use of standard gauge tracks. That settled the issue and within four years all of the major rail systems in the United States had converted to standard gauge.
In 1933, after the private ownership of gold coins, bullion and certificates by American citizens was
outlawed, the value of the Federal Reserve’s gold swelled from $4 billion to $12 billion but there was no place to store it. To secure the national treasure, the federal government built the U.S. Bullion Depository at Fort Knox, Kentucky. Even today it still holds roughly 2.5% of all of the gold ever mined. In retrospect, decisions to standardize the railroad track gauge and to build a secure gold depository seem obvious.
Today, however, our society’s interconnections, citizen and government interactions, and commerce are increasingly electronic transactions. Yet the problems that need government leadership are the same: standards and security. Unlike our nation’s gold reserves, our $10 trillion per year of Internet-based e-commerce14 cannot be placed into a single depository. Nonetheless, the need to protect e-commerce transactions and the identities of individuals participating Internet-based transactions or government-funded programs is just as acute.
Government at all levels must provide the leadership for standards and infrastructure that can protect individual’s identities in cyberspace, facilitate and secure e-commerce and prevent fraud and abuse which is rampant in important federal programs like Medicare
Decisive action
The U.S. federal government has already established that eIDs, based on smart card technology and potentially biometrics, solve these problems and ensure that security and privacy requirements are met for individuals while maintaining trust and preventing fraud. Today smart card eID technology secures the U.S. and global electronic passport program, the U.S. federal government interoperable Personal Identity Verification (PIV) card, the first responder identity credentials, being developed under the offices of the Federal Emergency Management Agency (FEMA), the Department of Homeland Security (DHS) and cooperating state and local governments.Federal, state and local government leaders need to take decisive action to broaden the use of eIDs to solve the problems facing Internet connected and e-commerce based societies.