Feds Push Single Sign-on for Government Agencies
Consumers with accounts at e-commerce companies may find their passwords opening another set of virtual doors: those leading to certain U.S. government websites. The feds want a one-stop system of ID authentication for access to agency websites such as Social Security's, and they are considering partnering with private sector companies to make it happen.
Jan 30, 2013 5:00 AM PT
The United States Postal Service (USPS) is hosting a pilot project with the goal of simplifying the account ID process for all federal agencies. One possible solution: allowing citizens to use their existing e-commerce accounts to access agency websites.
The USPS has admitted that while electronic mechanisms enable federal agencies to provide some online government services, the process "creates a burden to the citizen to manage a username and password for each agency application they need to access -- as well as a costly burden on each agency to issue and manage these usernames and passwords," the agency said in a statement.
The Postal Service knows that many high-value federal applications can't go online because passwords alone don't provide the desire level of assurance. The agency also knows that the next generation of online government applications will require multi-factor authentication.
To meet its goal, USPS wants to create a one-stop simplified identity mechanism for all federal agencies by utilizing already existing consumer accounts, such as those issued by retailers or financial institution.
Vendors sought for ID program
"USPS has been tasked with implementing a prototype software solution to enable citizens to use commercially-issued digital credentials to access government services online with greater security, privacy and efficiency," said the Postal Service in a statement provided to the E-Commerce Times by spokesperson John Friess.
IT vendors have until February 11 to respond to a USPS procurement solicitation for the user account ID project. The agency hopes to begin working with a dedicated supplier in the spring of 2013 and wants to begin trials on a prototype solution in the fall.
The project is being conducted within the framework of the National Strategy for Trusted Identities in Cyberspace (NSTIC), initiated by President Obama in April 2011. The NSTIC calls upon federal agencies to "lead by example and implement the identity ecosystem for the services it provides internally and externally."
To manage the initiative, the White House established a Federal Cloud Credential Exchange (FCCX) "Tiger Team," co-chaired by the National Institute for Standards and Technology (NIST) and the General Services Administration (GSA).
"GSA is one of several government agencies supporting the initial trial of the proposed FCCX, which will deliver a secure digital platform that will make it easier for citizens to use government websites. GSA will provide policy and guidance for this effort," the GSA said in a statement provided to the E-Commerce Times by spokesperson Dan Cruz.
A possible working scenario for how a consumer would utilize the system: a federal agency would list a number of popular commercial sites, such as Amazon or PayPal, on its web page. A citizen tapping into the Social Security Administration (SSA) web site would click on the name or logo of the commercial entity where the consumer has already established an account.
The government site would then display the commercial entity sign-in page and the consumer would enter an existing user name and password. With his or her identity verified via the commercial link, the citizen would continue on to the Social Security site.
"But the commercial site would be prevented from collecting information, or even knowing who was using its access code to enter the Social Security site," Lefkovitz said. Only the consumer's computer verification token would be used to authenticate his identity for accessing Social Security. None of the Social Security transaction information would be revealed at all to the commercial site.
The SSA would also not be directly involved in the identity verification process because the agency site, which displayed the commercial logo, would be linked into an independent government-wide identity clearinghouse serving as a verification mechanism for all federal agencies.
"USPS aims to work with the supplier to develop a service that will not decrypt or store any personally identifiable information," said USPS. "Resolving the privacy and security concerns is critical to the successful deployment of the service."
Leveraging a trusted brand
"The Postal Service was chosen to lead this technology initiative because it is a trusted brand and has exceptional experience and capabilities managing digital privacy and security," the agency said.
At a preliminary information session last summer, USPS and GSA outlined the desired vendor capabilities: the ability to participate in a shared service cloud environment involving multiple agencies; abstracting and streamlining business relationships with government-approved credential providers at all levels of assurance; user enrollment services; and scalability.
"FCCX will enable agencies to more easily offer online a variety of citizen-facing services that are currently mired in the paper world," USPS said.