Electronic security credentials could be used across agency applications if they were authenticated by a trusted party and based on a mobile phone or a driver's license -- items users are unlikely to lose or misplace.
When it comes to issuing credentials to employees, government agencies benefit from an additional authentication step that is not well appreciated: At some point in the hiring process, a trusted human resources manager or supervisor physically meets with new hires and verifies their identification documents.
When providing online services, however, that personal touch is not always possible. And even if a credential is issued via a reliable channel, if it's only used once a year there's a good chance an individual will lose it or not notice it was misplaced until months later.
Experts say the answer is to base the security credential on something that a person would be careful not to lose and would quickly replace if they did -- such as a primary payment card, a mobile phone or a driver's license, said Andre Boysen, chief identity officer at SecureKey Technologies.
And, in fact, smartphones and driver's licenses are increasingly being used to authenticate people when they access government websites. In Canada’s British Columbia, for example, driver's licenses include an EMV chip, the same kind of secure technology found in the latest credit cards.
"EMV is global, and it's proven, low-cost and very trustworthy," Boysen said.
To log into a system that requires maximum proof of identity, a user taps his driver's license against his phone. The system checks that the license has not been reported lost or stolen before confirming the user’s identity.
MorphoTrust’s eID system also uses driver's licenses when authenticating users for the first time but without the benefit of an EMV chip. Mark DiFraia, senior director of market development at MorphoTrust USA, said the mobile app works by first having the user to scan the bar code on his or her driver's license. Then the user is asked to flip the license over so the app can see the front. Finally, the user takes a selfie. That picture is compared to the photo on the driver's license before final approval is granted.
Once the app has authenticated the driver’s licenses, whenever users want to log into a secure government website, they use their smartphones to scan a QR code shown on the computer screen rather than entering a username and password.
The system is currently being tested by the North Carolina Department of Health and Human Services and Department of Transportation and by the departments of revenue in North Carolina and Georgia. The pilots are funded by the National Strategy for Trusted Identities in Cyberspace, a project of the National Institute of Standards and Technology.