What two-factor authentication could really accomplish in government
- By Neville Pattinson
- Apr 09, 2015
President Obama garnered much attention in October of 2014 by signing an executive order mandating chip-and-PIN technology for all federally issued payment cards and terminals. In Section 3 of the executive order, the president outlined plans that would “ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate.”
Because the standard username/password combination has proven vulnerable to hackers, multifactor authentication will, as the executive order says, “help ensure that sensitive data are shared only with the appropriate person or people.” The president’s mandate lays the foundation for implementing higher security standards.
So where do we go from here? How do we implement two-factor authentication, and where?
There are blueprints for making the case internally. When the Department of Defense introduced the Common Access Card (CAC) – which satisfies two-factor authentication – to cover physical and logical access and reached 100 percent agencywide coverage in 2006, the result was a dramatic 46 percent reduction in cyberattacks almost immediately. The challenge for other government IT managers is balancing requirements, security and convenience – the last of these being the key to ensuring user adoption.
One factor driving the adoption of smartcard technology in government and commercial markets in the United States is awareness. We, as an industry, are having the discussions on security; we have a seat at the table; and we’re presenting solutions to the issues that plague the market. Another factor is necessity. The need for modernization of our current authentication methods and for smartcard technology has never been stronger. Smartcards are a reliable solution that can shield against identity theft and fraud, ensuring the privacy of our clients as they interact, do business, grow and prosper.
The U.S. Social Security card is also overdue for an upgrade. Making the upgrade from the current paper card that been around since the 1930s and requiring an upgraded Social Security card to contain a smartcard chip would allow electronic authentication and nearly eliminate employment identity fraud problems. An electronic Social Security card would be:
- Tamper-resistant for protection against counterfeiting.
- Privacy-enhancing for the card holder.
- Dual-authenticating, with the use of PIN functionality.
A Social Security card that includes two-factor authentication technology via chip and PIN could also be used as part of the E-Verify program to prevent employment fraud, reduce complexity and save employers time and resources. Introducing an upgraded Social Security card in combination with the E-Verify initiative would give employers a simple, on-the-spot verification of a citizen’s employment eligibility.
Another major government program that could be vastly improved with smartcard technology is Medicare. Medicare fraud in the United States is estimated at $60 billion; upgrading the Medicare card to include a chip, and implementing a similar ID card for providers, would cut that in half. The dual-authentication factor in both recipient and provider smartcards would easily address various types of fraud prevalent in the current system.
Legislation known as the Medicare Common Access Card Act of 2014 or S.2586 proposes a pilot program under title XVIII (Medicare) of the Social Security Act for smartcard technology for Medicare beneficiary and provider identification cards. This would:
- Improve the accuracy and efficiency in the billing for items and services furnished by Medicare providers.
- Reduce the potential for identity theft and other unlawful use of Medicare beneficiary and provider identifying information.
- Reduce waste, fraud and abuse in the Medicare program.
The projected cost of the pilot program, if reintroduced, is $29 million, which would result in an estimated savings of approximately $30 billion – equivalent to a 50 percent reduction in Medicare fraud if fully deployed. The pilot program would be deployed in locations where there is higher probability for fraud and abuse, and reporting mechanisms would be in place to provide accurate data readouts on the program’s deployment and potential cost savings.
Along with businesses and consumers, the federal government is on the hunt for solutions related to personal privacy, secured identities and fraud prevention. An upgrade to a chip-and-PIN Social Security card, a chipped Medicare card and employment verification are just some of the tools being considered. Combining all of the different government identification documents into one smart card that could be used for programs like Medicaid benefits, food stamps and driver’s licenses could be the future. And as long as it’s done with security and privacy in mind, it’s a future I look forward to witnessing.
Neville Pattinson, CISSP CIPP CSCIP, is the senior vice president of government sales at Austin-based Gemalto North America. He is the technical vice-chairman of the Smart Card Alliance and sits on the board of NSTIC’s Identity Ecosystem Steering Group and can be reached at [email protected] or on Twitter at