Presenters at FIDO Authenticate bullish on government MFA policy
Subtitled ‘The imperative for strong authentication for government services,’ the event surveyed the progress being made to bring FIDO authentication to government digital ID programs.
Michael Magrath of OneSpan and Karen Chang of Egis Technology, co-chairs of the Alliance’s Government Deployments Working Group, reviewed large-scale FIDO deployments among North American, European and Asian governments.
The Canadian Digital Service deployed a pair of hardware-based security keys to prevent unauthorized access to all employees, to secure access while providing a backup. The Czech Republic’s CZNIC, the DNS registry which also operates the national digital identity provider, the eIDAS-accredited mojeID, has signed up 800,000 for easy FIDO2-based sign-on to government services. The system went into full production in September.
Sweden has deployed a federated digital identity system for its education system with support for authentication through FIDO’s Universal Second Factor protocol. The UK National Health Services Login app based on OpenID connect also supports FIDO authentication. The use of passwords with SMS based one-time passwords (OTPs) created barriers to use, NHS Digital found, prompting the adoption of biometrics for logins through FIDO UAF. America’s Login.gov service likewise supports FIDO.
Korea’s government has reached 14 million users with a system that enables FIDO-based authentication through fingerprint biometrics. In Thailand, the government is providing a reference site to help organizations set up multi-factor authentication with FIDO technology.
Policy deep dive
An examination of recent changes in how governments around the world perform remote digital authentication was led by Jeremy Grant of Venable LLP.
Grant noted the increased emphasis in government authentication on privacy and interoperability standards. That extends to governments making regulatory changes recently to accommodate FIDO-style authentication.
When he left his previous position with the Trusted Identities Group at NIST in 2015, Grant says FIDO authentication was barely known in government circles. At the time, PKI and one-time passwords were the common method, but FIDO is becoming widely preferred, he says, referencing guidance from NIST (specifically SP 800-63-3) and the NSA. For 800-63 identity assurance level 2 (IAL2), NIST is considering requiring phishing resistance, Grant notes. OMB’s draft strategy for zero-trust architecture also specifically requires phishing-resistant MFA, making reference to WebAuthn.
The developments in government authentication and digital ID in America are representative, Grant says, of trends across the world.
Designing trusted digital wallets
Canada’s efforts to build equitable digital ID wallets were presented by Digital ID & Authentication Council of Canada (DIACC) President Joni Brennan.
Best practices for digital wallet design are still largely things that governments should do, Brennan points out, rather than requirements to meet a standard.
The vision she laid out, drawn from the Pan-Canadian Trust Framework, is based on user control and privacy protections. DIACC is currently alpha-testing the framework and plans to soon introduce its first revisions, as the organization moves towards operationalizing the PCTF.
The Voila Verify program is DIACC’s information security auditor program, under which auditors will use the PCTF as a basis for assessments. The program will launch in early 2022.