Citizen Authentication and Mobility
State governments, municipalities and other local agencies can sometimes struggle with authenticating their citizens, particularly in an increasingly mobile world. Effective identity and access management is vital to protecting sensitive data but must be balanced against the need for citizens to have access to their own information. It’s important for state and local governments to think about how they implement citizen authentication systems, maintaining a balance between ease-of-use and securing the personal and private details of users. HID Global recently hosted a webinar on IAM for local government and employees, featuring some thought leadership and lively discussion on the best methods for approaching citizen authentication and mobility, supported by relevant policies, training and compliance. We’re delighted to share some of the key thinking below.
The Challenges with Citizen Authentication
There are a few factors where mobility adds complexity to identity and access management for citizens. One of the most important considerations when asking citizens to authenticate themselves is to consider the wide range of technical expertise, general understanding, access to technology and other potential obstacles across the whole population. For example, people under the age of 50 are likely to be comfortable using a smartphone linked to an authentication platform to prove who they are, while people over the age of 65 may be less comfortable with such technology. This means any authentication and mobility platform needs to take all user needs into account. Rajeev Rao, Chief Technology Officer, Office of Information Technology Services in the state of New York makes the point that although smartphone authentication technology is beneficial, there would be enormous pushback from agencies if that were the only way for citizens to authenticate themselves. “There's a practical aspect of this, where if your user base is going to be in the generation where they don't own a smartphone, then you must have a broader policy to allow other channels of authentication.” Another important aspect is the security of the devices themselves. As Jerry Cox, Director of Business Development at HID Global, says, “There is software that allows mobile phones to be used as authentication devices. This brings together two vital aspects of authentication—that you are who you say you are and that you have access to a specific, secure device—multi-factor authentication, which can work well for citizens with smartphones. We can also authenticate back to phones. You can ensure that if people have sensitive data like health information, that their phones are protected.” Balancing these factors is essential to selecting a citizen authentication platform.
Features of an Ideal Citizen Authentication System
Our webinar participants identified several features necessary to make authentication as wide-ranging and appealing as possible to citizens:
- Multiple channels of authentication, including smartphones, biometrics and other methods
- Adaptability to use various authentication methods, based on demographics and other end-user characteristics
- The ability to verify and authenticate the age of the citizen for age-restricted services
- Driving a seamless customer experience
- Adherence with regulations and compliance on a federal level and in collaboration with other state and municipal level agencies
This last point is especially important when it comes to areas like financial records, taxes or criminal records. There’s also a wide variety of controls that individual agencies at both a state and federal level apply to access. For example, IRS employees are locked out of a system for 15 minutes after three unsuccessful password attempts, while the FBI locks employees out after five unsuccessful attempts. These controls can also have an impact on the citizen, as Jerry Cox explains, “We've got different requirements from different agencies in terms of identity, for example around electronically prescribing controlled drugs. There's a requirement coming as part of the Cures Act where every state must prescribe electronically if they want to be reimbursed by CNS. So the requirement there is that the people be identity-proof to a certain level in accordance with standards, using multi-factor authentication.”
States are Taking Their Own Approach to Citizen Authentication
The most prevalent approach to local government citizen authentication seems to be for each state to adopt their own implementations. As Todd Kimball, Deputy Executive Director, Department of Information Resources, and Chief Information Officer of the state of Texas says, “In Texas, we want to flip the approach so that agencies look at how citizens actually consume their services. We're building out a portal that we're going to leverage, using a third party for our identity processes, including biometrics and facial recognition. Once a citizen has created an account, we’ll use a unique identifier that we can share with different agencies that will be linked to that citizen’s data. That minimizes the impact on agencies as they don't have to do a lot of work but it gives us the ability to sort of create a pseudo record of a citizen without really anybody owning that record.”
Integrating Authentication with Existing Legacy Systems
One of the main drivers behind a state-by-state approach is a combination of unique business processes and the legacy software and hardware used in the majority of state and local governments. This can create significant inconsistencies in the customer experience if these systems are not properly integrated with a citizen authentication system. It also creates issues with providing proper help desk and IT support. The right citizen authentication system should integrate relatively smoothly with existing processes and technologies to make the whole interaction as friction-free as possible.
Getting Buy-In Is Critical
Getting local and state agencies on same side is essential to the success of any citizen authentication system. The last word here goes to Todd Kimball, “One thing that has become obvious is the need to take an “opt-in approach” not only for the citizens but also for our partner agencies and the services that they deliver online. We are seeking voluntary participation and deploying these services digitally. The agencies have to agree to participate in this new strategy and vision, and we know some of the agencies may be a little bit reluctant to try something new. We work really hard to try and identify who that lead steer is and get that one steer moving in the right direction, and then the herd follows.” Watch the Federal News Network roundtable in three convenient segments: part one, part two and part three. Get the latest blogs on identity and access management delivered straight to your inbox. Yves Massard is responsible for the product marketing effort in HID Global’s Identity and Access Management (IAM) government business. While at HID, Yves assisted in creating the US DoD Common Access Card, ActivID™ CMS—the market-leading PIV credential management system—and ActivClient™, market-leading middleware. Yves received a Masters Degree in Computer Science from the Institut National des Sciences Appliquées de Rennes and an MBA from Saint Mary’s College, California. Sources and expertise include:
- Todd Kimball, Deputy Executive Director, Department of Information Resources, and Chief Information Officer of the State of Texas
- Rajeev Rao, Chief Technology Officer, State of NY Office of Information Technology Services
- Doug Robinson, Executive Director, National Association of State Chief Information Officers
- Jerry Cox, Director of Business Development, HID Global