FB pixel

Digital IDs mean manageable and critical change, FIDO tells US federal security leaders

Digital IDs mean manageable and critical change, FIDO tells US federal security leaders
 

Clearly appreciating that it was selling digital authentication to data-security officials in the inertia-guided U.S. federal bureaucracy, a FIDO Alliance panel speaking in a webinar spent a lot of time telling them not to panic.

New anti-phishing procedures are on the way, the panel said, but they come with practical levels of flexibility and don’t require replacing time-honored personal ID verification (PIV) credentials and common access cards.

The alliance members, in an accompanying white paper, stipulated that implementing single sign-on, life-cycle management, and digital identity risk assessments “are table stakes for federal zero trust implementations and prerequisites for U.S. government FIDO deployments.”

The panel discussion followed publication of the white paper, which is both detailed and high-level, giving bureaucrats guidance in deploying FIDO authentication. Both are results of a request by the White House to help accelerate FIDO systems and processes.

What has been delivered is more nuanced.

If PIV and CACs are already meeting your needs, that’s great,” said Tom Clancy, an engineer with government researcher Mitre and a panelist.

“Think about FIDO authentication as a replacement for phishable authentication,” Clancy said, “not as a replacement for PIVs and CACs.”

The white paper states that the goal should be “narrowing” what methods government employees use for multi-factor authentication. A better way of putting it would limiting ineffective tactics.

Digital ID credential and access management should include any step that is resistant to phishing, a component of the government’s zero trust strategy.

Agencies need to figure out which FIDO authenticator best fits their needs, said Zach Martin, a panelist and senior policy advisor at the law firm Venable.

Clancy and Martin were joined on the webinar’s panel by Teresa Wu of Idemia, who is also co-chair of the FIDO Alliance’s Government Deployment Working Group, Lisa Palma of LC&J Security Solutions and Joe Scalone of Yubico.

The report recommends that agencies run pilots for new-to-them authenticators and make sure processes including credential revocation and access control are effective.

Digital ID risk-assessments, or DIRAs, also have to be implemented as repeatable ways to judge anti-phishing procedures for multiple resources in various contexts.

Clancy said the DIRA process is especially important when implementation runs aground on cultural barriers.

Clancy said staff may push false choices, like that PIV cards and passwords are the only options. A risk assessment will provide a more objective, open-ended view of alternatives.

Indeed, he said that “in some agencies, there is a reluctant to approve alternatives.” That could be “contributing to a reliance on waivers or unsafe authentication” like passwords.

Article Topics

 |   |   |   | 

Latest Biometrics News

 

Idiap highlights biometrics research, open-source contributions for 2024

Idiap Research Institute has released its 2024 Scientific Report. Its research covers a wide range of digitally relevant topics, several…

 

Legal battle over Clearview AI’s origin takes a turn as accuser drops suit

Fortunes have swung in a long-simmering legal skirmish between biometrics firm Clearview AI and an extreme right wing commentator who…

 

China cracks down on facial recognition payments

Businesses in China dealing with facial recognition payments will have to comply with a new set of security standards released…

 

South African banks plan more branches to expand digital ID services access

Banks in South Africa say they plan to open more branches this year in order to facilitate access to Home…

 

Kenyan President signs Proclamation to facilitate national ID issuance in border communities

President William Ruto of Kenya has signed a Presidential Proclamation on Registration and Issuance of IDs to border counties in…

 

UK government declares deepfakes ‘greatest challenge of the online age’

A new case study published by the UK government does not mince words, or numbers: “The rise in deepfakes generated…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events