In the midst of this year’s series of data breaches, government IT leaders are exploring their options in identity management and authentication to combat identity theft and insider threats.
Federal officials gathered during the 2015 Government Symposium to discuss the future of identity authentication, debating different forms of verification and when it’s appropriate to be cautious.
Michael Garcia, of the National Institute of Standards and Technology, said strong authentication simply depends on the situation.
“It’s about figuring out when the risk profile matches the strength of authentication,” he said,. “I think one of the biggest things we need to avoid is tricking ourselves into thinking we always need strong authentication. I mean there are times a bad password is ok – if it’s an unimportant application the consumer wants to use a password – have fun. If it’s an application that’s high risk, individuals need the option to do something stronger.”
Deb Gallagher, special advisor for defense manpower at the Department of Defense echoed Garcia’s stance. To that end, she advocated for the use of public key infrastructure (PKI) and smart cards within federal agencies, but cautioned that finger prints and iris scans have not been embraced.
Also on the panel was Paul Hunter, deputy chief, Biometrics Division, DHS U.S. Citizenship and Immigration Services. He shared that his agency is beginning to implement identity authentication solutions in the citizenship application process – not only to secure identity but make the process less burdensome on immigrants. Hunter, originally from England, said he could personally attest to the trials and tribulations of the paperwork.
“It’s a lot of time for me, as an immigrant, to go to the Senate, take time off work,” Hunter said. “What we are starting to think about now, in terms of immigration, instead of being form-based, is to start to think about the person. Talk about the person – not the form.”
As the panel concluded, the resonating message was clear: identity theft cannot be obliterated – however, with proper practices and authentication, it can be managed.