Another View: OMB's e-authentication policy isn't fully baked

Stephen H. Holden

A recent GCN editorial urged the Office of Management and Budget to complete its work quickly on revising its draft e-authentication policy, which closed for public comment in August. I would say, 'Slow down a bit so we can make a good product even better.'

Here's why:
  • You can't assess the impact of the draft policy without seeing the companion guidance from the National Institute of Standards and Technology. Given that the draft policy seems to be issuing requirements instead of suggestions'for example, four levels of assurance'the comment period for the draft policy should be extended until agencies and the public can also review the NIST technical guidance.
  • The OMB policy on centralization and standardization of e-authentication technologies seems to apply to solutions like public-key infrastructures and biometrics, but its applicability to personal identification number and password solutions isn't so clear. Are many agencies even planning to use the more costly and complex PKI?

The draft General Services Administration policy should probably be issued as OMB policy and combined with existing Government Paperwork Elimination Act guidance from OMB. The Federal Register notice indicates the draft policy 'updates the GPEA guidance,' but is unclear whether it supplements or supplants it.

The policy should be much clearer that decisions about e-signatures, e-authentication and authorization are all the purview of business process owners. The discussion of the risk assessment and four assurance levels is too technology-centric in that it presumes that technology is the only tool available to the business process owner to mitigate risk.

The policy should be clarified to not equate e-signatures with e-authentication. It should not state that e-authentication is a predecessor to authorization. As a first-order piece of analysis, agencies should determine whether a given application requires an electronic signature, e-authentication or authorization. As the guidance notes, the three functions are different and arguably, the vast majority of e-government systems require signatures as a legal requirement.
  • The policy should make clear that OMB does not intend to second-guess agency business process owner judgments on assurance levels or matching authentication solutions to assurance levels. If caught between two of the four levels, most agency decision makers are going to pick the higher. The prescriptive nature of the policy and the accompanying scrutiny from publishing their risk analyses are likely to drive agencies to overclassify, forcing them to develop costly PKI e-authentication controls commensurate with the overclassification.

  • The policy should acknowledge that non-PKI e-authentication solutions, such as self-select PINs, are appropriate for assurance levels 1, 2 and 3, if not encouraged. Taxpayers used self-selected PINs for more than 34 million electronic transactions last year.

Boiled down to its essence, I believe the draft policy on e-authentication is based on some core assumptions that are questionable. It's not clear that a monolithic solution to e-signatures and e-authentication will give agencies needed flexibility to match tools to the task based on their own risk analysis, reduce the burden on the public or result in dramatic savings to federal agencies. OMB should take its sweet time on this one.

Stephen H. Holden is assistant professor in the Information Systems Department of the University of Maryland Baltimore County. E-mail him at Holden@umbc.edu.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above