How to protect digital citizen identities through identity management
- By Dean Scontras
- Aug 18, 2021
Securing digital citizen identities continues to be a top concern for the federal and state governments. Over the past year and a half, the COVID-19 pandemic reinforced the importance and need for secure authentication and credentials in a number of ways.
Primarily, the pandemic necessitated a proliferation of digital identities, as citizens required increased access to online government services. Unfortunately, this growth also highlighted a lack of identity security, as seen with fraudulent unemployment insurance claims filed using stolen identities. With this spotlight on securing citizen identity while also maintaining citizen data privacy, federal and state governments must implement government-to-citizen identity and access management (IAM) solutions that not only provide security but also improve the user (i.e. citizen) experience while protecting their data.
Strong authentication and access management plays a two-fold role. Primarily, it will ensure citizens’ data, privacy and identities are protected from attackers. Secondly, an effective authentication tool will actually improve access and the overall login experience. For example, if a citizen has one strong login for multiple government services, not only is that more secure but it makes accessing those services more streamlined.
What makes securing citizen identity unique
Governments are now expected to offer citizens the same level of secure and seamless access as they experience in the consumer and corporate worlds. However, there are differences between workforce identity (i.e. identity for employees) and citizen identity -- the latter is significantly more complex.
With workforce identity, employees are given a single identity to access applications, referred to as a single sign-on (SSO) solution. When it comes to citizen identity, users often create multiple different identities to access different services offered by the same government. For example, a citizen might have one login for renewing a vehicle registration and another for obtaining a state fishing license.
As governments rethink and restructure their digital services, they must rein in these disparate logins and create cohesive login experience for citizens, similar to the SSO solutions they have constructed for their own workforce. However, these applications are different in many regards. Whereas workforce applications are third-party applications, citizen-facing applications are often customized, requiring an entirely different set of identity features. Given the unique challenges to securing citizen identity, the best IAM solutions are the ones that can be easily integrated across platforms.
The roadblocks, both avoidable and unavoidable
Breaking down siloed identities to create a single and seamless login experience requires governments to implement identity management as a holistic statewide strategy. While each agency faces its own unique set of challenges -- ranging from funding to staffing shortages, to potential compliance requirements -- the one roadblock that can be avoided is lack of awareness. Identity security and management will redefine government online capabilities, and it’s unacceptable for governments to not be aware of the risks at hand without strong IAM.
Like their private-sector peers, states must increasingly view themselves more like software companies that deliver digital citizen services and less like traditional government “agencies” where citizens have traditionally stood in line to have a piece of paper processed. Subsequently, states are increasingly becoming dependent upon those developers who are actually helping to transform the citizen experience, which will be based on identity. Governments' path to secure IAM will be different depending on their abilities and resources. Some will be able to use a team of developers to build an IAM solution in-house while others will choose a third-party vendor. Regardless of the approach, long-term success for IAM solutions will rely on their usefulness for developers and compatibility with preexisting applications as they bridge from the old to the new.
Working with legacy systems is oftentimes one of the biggest roadblocks to implementing new security measures. Unsurprisingly, the best people for navigating system changes are developers. They are not only the most familiar with the system, but they also have the most skin in the game. Ideally, by using solutions that are easily integrated into new and existing applications, developers will be able to allocate their time and resources to modernizing and securing platforms.
Implementing a customizable government-to-citizen solution
Customizable IAM is a cornerstone of government services because the applications used are almost entirely custom built. With these unique application configurations, utilizing identity-as-a-service allows governments to implement security measures that meet the unique needs of their services without draining developer time and resources. Government-to-citizen IDaaS navigates the fine line between building both custom and secure applications that still allow for convenient user (citizen) access.
With an IDaaS solution, developers can adapt and extend their authentication services with a simple configuration, avoiding technical complexities and enabling greater speed of adoption.
With the right IDaaS solution, a government can implement features like SSO, self-service account management, consent and preference management, multifactor authentication, access management, directory services and data access governance.
Having a platform that is customizable, allowing developers to integrate directly into new and existing applications, strengthens features throughout IAM. Below are three core, customizable features of a strong government-to-citizen IDaaS solution:
- Single sign-on: By implementing a SSO experience, citizens can navigate between applications without having to reregister. This consolidated sign-on experience is crucial to ensuring seamless citizen experience across government agencies.
- Multifactor authentication: MFA is one of today's gold standards for verifying identity. The solution supplements the traditional password with additional verification methods that use additional factors: something you know (like a password), something you have (like a cellphone) and something you are (like a fingerprint). Since this multistep process is much harder for hackers to fake, it is more secure.
- Consent and preference management: Automating the consent management process, makes regulatory compliance seamless. It allows developers to focus on what they do best, rather than devoting time and resources to user consent collection and management or propping up a legacy solution.
Simply put, an effective government-to-citizen IDaaS solution ensures that citizens have convenient and secure access to their applications across government services. In order to achieve this balance, the solution must be customizable to meet the unique application needs of governments without burdening developers with building an in-house solution. With online government services rapidly expanding, now is the time for governments to step up and invest in citizen identity management to provide a user experience that meets the security, privacy and convenience expectations citizens have grown accustomed to in the consumer world.
Dean Scontras is vice president of SLED at Auth0 and Okta.