Future of identity and access discussed at Securing Federal Identity 2017
Several federal government representatives discussed the future of secure identity and access at the Secure Technology Alliance’s Securing Federal Identity 2017 conference in Washington, D.C. last week.
“It is clear from all of the great sessions and discussions last week – including advancements for derived credentials, innovative uses of technologies like near field communications and alternative authentication technologies, and a call-to-action to accelerate the adoption of interoperable identity and access solutions – that there is a real sense of urgency to push identity and security forward in government,” said Randy Vanderhoof, executive director of the Secure Technology Alliance. “With the majority of attendees from federal agencies, this event has become a hub for government and security executives and industry leaders to come together to make real progress in this space.”
In a presentation focused on federal identity programs and standards, speakers provided an update on the status of derived PIV credentials and expanding the use of PIV credentials to mobile devices.
They emphasized that while trust begins with PIV, the industry is researching ways to use different types of identifiers and authenticators on mobile devices to allow authentication at different levels of assurance for different applications.
The speakers also said that derived PIV credentials are currently being tested in some one-off developments for specific use cases and there is no standard implementation being widely adopted. However, they seemed optimistic that such an implementation could happen in the future.
In a panel, moderated by Anil John, Department of Homeland Security, on the DHS’s Identity Management and Data Privacy Research and Development Program, the heads of three federal program detailed the efforts surrounding innovative technologies for improving security, identity and privacy in government:
John Fessler of Exponent & Kantara Initiative talked about an ongoing project that enables the use of derived credentials over a secure near field communications (NFC) channel using Opacity technology on a mobile device for physical access control
Michael Queralt of Queralt, Inc. summarized the company’s research project on mapping PIV credentials onto FIDO-compliant devices to provide mobile users with easier access to applications and data while requiring a higher level of authentication
Devu Manikantan Shila of United Technologies Research Corporation detailed a project called Context Aware Security Technology for Responsive and Adaptive Protection (CASTRA) that uses analytics on mobile sensor data to learn various human behavioral traits to enable an active authentication capability.
Joseph Stuntz of Office of Management and Budget and James Sheire of GSA Office of Government-wide Policy discussed the impact of the new executive order strengthening the cybersecurity of federal networks and critical infrastructure.
The panel also discussed the GSA’s efforts for improving identity and security in government through their new IDManagement.gov website, which provides the federal government with digital assets that are easier to understand and can be easily updated as policies and regulations change.
In another presentation, Paul Grassi of NIST Trusted Identity Group discussed the NIST Special Publication 800-63-3 on “Digital Identity Guidelines” and its impact on government .
The document details the identity proofing and authentication requirements for Federal agencies implementing digital identity services, which Grassi confirmed are scheduled to be published later this month.
Grassi also unveiled NIST plans to build on these requirements by providing actionable guidance for implementation.
The day ended with a call-to-action discussion on what steps the industry can take to further accelerate the adoption of interoperable solutions for federal identity management and access security.
Moderator Randy Vanderhoof of Secure Technology Alliance, and federal government panelists Tim Baldridge of the Department of Defense, LaChelle LeVan of GSA/FICAM, and Michael Garcia of NIST Trusted Identity Group, discussed that current methods of identification and authentication for access are too single-sourced, and fail to provide sufficient flexibility for new and emerging use cases, such as remote access.
Panelists determined that there is no one-size-fits-all authentication solution for government, but rather, conceded that the industry needs more open, interoperable solutions that can be used for a wide range of use cases.
Earlier this year, the Secure Technology Alliance released a new white paper that examines the new authentication mechanisms and use cases of mobile identification authentication.