Evolving Government: Moving beyond passwords for seamless identity verification
It’s no secret that user authentication is one of the government’s biggest security vulnerabilities. Last year, the Commission on Enhancing National Cybersecurity called on the federal government to end all major breaches by 2021 in which identity—especially in the form of password theft—is the primary vector of attack.
In addition, a report by Thales and 451 Research shows that one of every three federal respondents experienced a data breach in the past year, and 65 percent indicated a breach at some point in the past. Nearly all respondents, 96 percent, consider themselves vulnerable.
Challenges with Passwords and 2FA
Technology leaders have predicted for years that the traditional password will end because it is not failsafe. Unsuccessful attempts to improve security by using two-factor authentication (2FA), typically via SMS, have repeatedly and richly rewarded attackers. This led the U.S. National Institute of Standards and Technology to withdraw support for SMS-based 2FA.
The sheer inconvenience of 2FA and multi-factor authentication often prevents people from using them. Mark Risher, manager of Google’s identity systems, has said that “users won’t accept more security than they think they need.”
A New Solution: Direct Autonomous Authentication
The search for frictionless identity verification, capable of protecting sensitive government and citizen data, while also providing an authentication experience that people will actually use, has led to considering devices rather than user input as the source of trust. Throughout government, users see this every day as they insert their CAC Card or PIV Card into their computers to authenticate their identity. But what about authentication through mobile devices that don’t have a card reader?
One way that smartphones and tablets are being leveraged for secure identity verification is through Direct Autonomous Authentication (DAA), which seamlessly integrates with ultra-secure entities that have already verified users—namely, mobile carriers, which instantly authenticate users every day in order to accurately bill the correct customer.
At Averon, we developed DAA to instantly authenticate users via the real-time mobile-carrier signaling and SIM card technology already found in every smartphone and other devices. A SIM card can be understood as a smaller PIV or CAC card. DAA, a patented, new type of user-authentication, is both automatic and requires no effort by the user. It relies on data the mobile carriers already have, which is impervious to being hacked, intercepted or otherwise compromised because there is absolutely no transmission of user information.
Bringing DAA to Citizen Services
Averon recently participated in the Dcode accelerator program to help bring DAA technology to government. With this technology, agencies can more seamlessly and securely engage with any citizen who has a mobile phone, thus simplifying citizens’ access to services, helping law enforcement combat crime, assisting in voter identity verification, and so on.
It’s time to move beyond passwords, 2FA, and other vulnerable and outmoded methods for identity verification.
Aaron Mahone is director of finance and operations at Averon. Previously a management consultant with KPMG, he also served as business development director for Greenlight Energy Group and as an auditor with the New York State Department of Health.