US Treasury moots digital ID grants in FIDO webinar
The FIDO Alliance co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum earlier this week, together with the Better Identity Coalition, and the ID Theft Resource Center (ITRC).
As the name implies, the two-day event saw representatives from government and industry discussing current and future policies, challenges, and opportunities for identity and authentication.
The top take-away from the event may be the determination of the U.S. Treasury, as explained by Assistant Secretary for Terrorist Financing and Financial Crimes Elizabeth Rosenberg, to make 2022 a “year of action” on digital ID.
“As a policy matter, digital ID has the potential to immediately and dramatically improve how we protect our national security and financial security,” she said.
In a bid to ensure strong authentication is adopted, not just considered, Treasury is considering the establishment of a voluntary grant program, which would help states support digital identity apps, including mobile driver’s licenses (mDLs).
The first day of the event opened with a joint keynote from Susan Gibson, chair of the U.S. Pandemic Response Accountability Committee (PRAC) Identity Fraud Reduction & Redress Working Group, and Jeremy Grant, coordinator of the Better Identity Coalition.
During the session, Gibson and Grant discussed the effect of the pandemic on identity verification, and how aid fraud rates have increased substantially over the past two years.
In a separate webinar, James Lee, chief operating officer of ITRC, corroborated this trend with data from the company’s 2021 End-of-Year Data Breach Report.
Additional sessions during the day covered other aspects of digital identity, including for travel and in accessibility applications.
The second day of the FIDO webinar focused on the future of authentication, kicking off with a keynote from Eric Mill, senior advisor at the White House Office of Management and Budget (OMB).
Mill mentioned OMB’s federal zero trust strategy draft, published in September 2021, and noted how phishing is still one of the biggest issues in enterprise security.
“We are trying to create a clear baseline for civilian federal agencies around not using multifactor authentication methods that don’t resist phishing,” he said.
To counter these attempts, Mill said PIV (Personal Identity Verification) cards are a good start, but that more state agencies should consider a broader approach, using FIDO WebAuthn platform authenticators.
Mill’s session was followed by Andrew Shikiar’s, the executive director of the FIDO Alliance.
Shikiar highlighted how FIDO should not be perceived as a ‘checkbox item’ for multi-factor authentication (MFA). Instead, it should be the foundational architecture upon which to build secure connected services that are critical to today’s networked society.
Pam Dingle, director of Identity Standards at Microsoft, took the floor as part of a panel after Shikiar, discussing the barriers to MFA adoption, and calling for improved identity proofing, particularly from a technological standpoint.
The point was also echoed by fellow panelists Christine Owen, director of Advanced Solutions and Cybersecurity at Guidehouse, and Grant Dasher from CISA.
The final part of the FIDO webinar focused on identity in relation to the banking system.
Both Sultan Meghji, chief innovation officer of FDIC, and Kay Turner from FinCEN noted how many of the things that bring risk to the financial sector in the U.S. are anchored on identity.
“Identity is at the heart of all financial services, and it’s core to trust,” Turner said. “So we recognize that the ability to assess risk is only as good as your ability to figure out with whom you’re engaging.”
The last session of the event was a keynote speech from Carole House, director for Cybersecurity and Secure Digital Innovation, White House National Security Council (NSC).
In the session, House stressed the importance of identity for national security.
“Many cyber incidents that we’ve seen involve vectors of compromise that could have been thwarted through stronger identity and access management solutions, including implementation of multifactor authentication solutions,” House explained.