Tag Archives: digital identity

When a .gov Becomes an .org

When techies (the ones who developed Login.gov among other things) get fired from their government jobs, a website is sure to follow.

Here is how 18f.org begins:

“For over 11 years, 18F has been proudly serving you to make government technology work better. We are non-partisan civil servants. 18F has worked on hundreds of projects, all designed to make government technology not just efficient but effective, and to save money for American taxpayers.

“However, all employees at 18F – a group that the Trump Administration GSA Technology Transformation Services Director called “the gold standard” of civic tech – were terminated today at midnight ET.”

18F is Not a Female Who Can Vote (An Identity Verification Post)

If you are a government agency who uses Login.gov, or if you are a U.S. citizen who has a Login.gov account, I’m not sure about the future of the service.

Back in November 2023, I wrote a post that included the three letters “18F.” Specifically:

Obviously there are a number of private companies (over 80 last I counted) that provide secure access to information, but Login.gov is provided by the government itself—specifically by the General Services Administration’s Technology Transformation Services. Agencies at the federal, state, and local level can work with the GSA TTS’ “18F” organization to implement solutions such as Login.gov.

Now perhaps I’m, um, biased, but I happen to think that identity verification, whether performed by a public entity, is kinda sorta important.

Which is why I took notice when I saw Brian Krebs’ Saturday night LinkedIn post. Here’s a short excerpt:

This is from the executive director of the 18F, the digital services agency within the General Services Administration (GSA) that develops open-source tools to improve digital services across the federal government.

“I am the Executive Director of 18F and 18F’s longest running employee- I have been at 18F for 10 years. You may not have heard of us, but last night proved that we are powerful. The way the administration ran to get rid of us under the cover of night and shut us down without warning proves that they were scared. They are too afraid to even speak to us.”

Krebs also links to a FedScoop article.

The General Services Administration has eliminated its 18F program, an internal team of tech consultants and engineers that develops open-source tools to improve digital services across the federal government. 

The announcement, which came overnight, is the latest in the Trump administration’s ongoing efforts to slash the federal workforce. It was foreshadowed weeks ago when Elon Musk, who’s become a highly influential and controversial voice in the White House, tweeted that the decade-old program had been “deleted.” 

At this point I am not sure how this affects future updates to Login.gov. As far as I know the service itself remains operational.

To be continued? Or not continued?

My “Banking Changes” Post Needs an Update

Back in July 2023, I wrote a post about financial remote onboarding which included a section entitled “Three changes in banking over the last fifty years.” The first change I addressed was locational change.

The first crack in the whole idea of “going to the bank” was the ability to bank without entering the door of the bank…and being able to bank on Sunday at midnight if you felt like it. Yes, I’m talking about Automated Teller Machines (ATMs), where the “teller,” instead of being a person, was a bunch of metal and a TV screen.

But when I was recently reading a Bluesky post from mclevin that stated (correctly) that the decline in tellers didn’t start with artificial intelligence, but automated teller machines, it occurred to me that even the once-revolutionary ATM is itself outdated in financial terms.

Think about it.

What are the two most important functions of an ATM?

  • To deposit paper checks.
  • To obtain physical cash.

I think you see where this is going.

While the ATM still fulfills these functions today, how often do we receive paper checks? And even if we do, why go to a distant ATM to deposit the check when you can often perform the same function using your mobile phone?

And how often do we use cash to pay for things? Often we use a card…or a mobile phone.

Will Entities Adopt the SITA-IDEMIA-Indico “Digital Travel Ecosystem”?

Thinking about “de plane” used in the Fantasy Island television series (image CC BY-SA 3.0) makes me think about travel. Mr. Roarke’s and Tattoo’s guests didn’t have to worry about identifying themselves to disembark from the plane and enter the island. But WE certainly do…and different countries and entities need to adopt standards to facilitate this.

I’ve previously observed that standards often don’t emerge, like Athena, from ivory towers. They emerge when a very powerful entity or person (for example, Microsoft or Taylor Swift) says that THIS is the standard, and waits for the world to comply.

Of course, there can be issues when MULTIPLE powerful entities or people try to champion competing standards.

But what if powerful entities band together?

SITA, the global leader in air transport technology, and IDEMIA Public Security, a world leader in digital technologies, biometrics, and security have announced a collaboration to advance interoperability, trust, and data security through a globally recognized Digital Travel Ecosystem.

Add Indico to the partnership, and perhaps the parties may be on to something.

From SITA.

The goal is to create “an open, secure, and interoperable framework that ensures a travelers’ digital identity is trusted globally, without the need for direct integrations between issuers and verifiers.” It is intentionally decentralized, giving the traveler control over their identity.

Perhaps it’s a fantasy to think that others will buy in. Will they?

Or will they instead select Taylor’s version?

CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=81523364

Marketing Identity Product Privacy

When marketing digital identity products secured by biometrics, emphasize that they are MORE secure and more private than their physical counterparts.

When you hand your physical driver’s license over to a sleazy bartender, they find out EVERYTHING about you, including your name, your birthdate, your driver’s license number, and even where you live.

When you use a digital mobile driver’s license, bartenders ONLY learn what they NEED to know—that you are over 21.

Image source: GET Group NA, https://apps.apple.com/us/app/get-mobile-verify/id1501552424

Oh, Florida (mobile driver’s licenses)

I should properly open this post by stating any necessary disclosures…but I don’t have any. I know NOTHING about the goings-on reported in this post other than what I read in the papers.

“I know NOTHING.” By CBS Television – eBayfrontback, Public Domain, https://commons.wikimedia.org/w/index.php?curid=73578107.

However, I do know the history of Thales and mobile driver’s licenses. Which makes the recent announcements from Florida and Thales even more surprising.

Gemalto’s pioneering mobile driver’s license pilots

Back when I worked for IDEMIA from 2017 to 2020, many states were performing some level of testing of mobile driver’s licenses. Rather than having to carry a physical driver’s license card, you would be able to carry a virtual one on your phone.

While Louisiana was the first state to release an operational mobile driver’s license (with Envoc’s “LA Wallet”), several states were working on pilot projects.

Some of these states were working with the company Gemalto to create pilots for mobile driver’s licenses. As early as 2016, Gemalto announced its participation in pilot mDL projects in Colorado, Idaho, Maryland, and Washington DC. As I recall, at the time Gemalto had more publicly-known pilots in process than any other vendor, and appeared to be leading the pack in the effort to transition driver’s licenses from the (physical) wallet to the smartphone.

Thales’ operational mobile driver’s license

By the time Gemalto was acquired by and absorbed into Thales, the company won the opportunity to provide an operational (as opposed to pilot) driver’s license. The Florida Smart ID app has been available to both iPhone and Android users since 2021.

From https://www.flhsmv.gov/floridasmartid/ as of July 12. No idea whether this image will still be there on July 15.

What just happened?

This morning I woke up to a slew of articles (such as the LinkedIn post from PEAK IDV’s Steve Craig, and the Biometric Update post from Chris Burt) that indicated the situation had changed.

One of the most important pieces of new information was a revised set of Frequently Asked Questions (or “Question,” or “Statement”) on the “Florida Smart ID” section of the Florida Highway Safety and Motor Vehicles website.

The Florida Smart ID applications will be updated and improved by a new vendor. At this time, the Florida Department of Highway Safety and Motor Vehicles is removing the current Florida Smart ID application from the app store. Please email FloridaSmartID@flhsmv.gov to receive notification of future availability.

Um…that was abrupt.

But a second piece of information, a Thales statement shared by PC Mag, explained the abruptness…in part.

In a statement provided to PCMag, a Thales spokesperson said the company’s contract with the FLHSMV expired on June 30, 2024.

“The project has now entered a new phase in which the FLHSMV requirements have evolved, necessitating a retender,” Thales says. “Thales chose not to compete in this tender. However, we are pleased to have been a part of this pioneering solution and wishes it continued success.”

Now normally when a government project transitions from one vendor to another, the old vendor continues to provide the service until the date that the new vendor’s system is operational. This is true even in contentious cases, such as the North Carolina physical driver’s license transition from IDEMIA to CBN Secure Technologies.

But in the Florida case:

  • Thales chose not to bid on the contract renewal.
  • The new vendor and/or the State of Florida chose not to begin providing services when the Thales contract expired on June 30.
  • Thales and/or the State of Florida chose not to temporarily renew the existing contract until the new vendor was providing services in 2025.

This third point is especially odd. I’ve known of situations where Company A lost a renewal bid to Company B, Company B was unable to deliver the new system on time, and Company A was all too happy to continue to provide service until Company B (or in some cases the government agency itself) got its act together.

Anyway, for whatever reason, those who had Florida mobile driver’s licenses have now lost them, and will presumably have to go through an entirely new process (with an as-yet unknown vendor) to get their mobile driver’s licenses again.

I’m not sure how much more we will learn publicly, and I don’t know how much is being whispered privately. Presumably the new vendor, whoever it is, has some insight, but they’re not talking.

Digital Identity and Public Benefits

From https://www.digitalbenefitshub.org/.

Both the U.S. National Institute of Standards and Technology and the Digital Benefits Hub made important announcements this morning. I will quote portions of the latter announcement.

The National Institute of Standards and Technology (NIST), the Digital Benefits Network (DBN) at the Beeck Center for Social Impact + Innovation at Georgetown University, and the Center for Democracy and Technology (CDT) are collaborating on a two-year-long collaborative research and development project to adapt NIST’s digital identity guidelines to better support the implementation of public benefits policy and delivery while balancing security, privacy, equity, and usability….

In response to heightened fraud and related cybersecurity threats during the COVID-19 pandemic, some benefits-administering agencies began to integrate new safeguards such as individual digital accounts and identity verification, also known as identity proofing, into online applications. However, the use of certain approaches, like those reliant upon facial recognition or data brokers, has raised questions about privacy and data security, due process issues, and potential biases in systems that disproportionately impact communities of color and marginalized groups. Simultaneously, adoption of more effective, evidence-based methods of identity verification has lagged, despite recommendations from NIST (Question A4) and the Government Accountability Office

There’s a ton to digest here. This impacts a number of issues that I and others have been discussing for years.

NIST’s own press release, by the way, can be found here.

Authenticator Assurance Levels (AALs) and Digital Identity

(Part of the biometric product marketing expert series)

Back in December 2020, I dove into identity assurance levels (IALs) and digital identity, subsequently specifying the difference between identity assurance levels 2 and 3. These IALs are defined in section 4 of NIST Special Publication 800-63A, Digital Identity Guidelines, Enrollment and Identity Proofing Requirements.

It’s past time for me to move ahead to authenticator assurance levels (AALs).

Where are authenticator assurance levels defined?

Authenticator assurance levels are defined in section 4 of NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. As with IALs, the AALs progress to higher levels of assurance.

  • AAL1 (some confidence). AAL1, in the words of NIST, “provides some assurance.” Single-factor authentication is OK, but multi-factor authentication can be used also. All sorts of authentication methods, including knowledge-based authentication, satisfy the requirements of AAL1. In short, AAL1 isn’t exactly a “nothingburger” as I characterized IAL1, but AAL1 doesn’t provide a ton of assurance.
  • AAL2 (high confidence). AAL2 increases the assurance by requiring “two distinct authentication factors,” not just one. There are specific requirements regarding the authentication factors you can use. And the security must conform to the “moderate” security level, such as the moderate security level in FedRAMP. So AAL2 is satisfactory for a lot of organizations…but not all of them.
  • AAL3 (very high confidence). AAL3 is the highest authenticator assurance level. It “is based on proof of possession of a key through a cryptographic protocol.” Of course, two distinct authentication factors are required, including “a hardware-based authenticator and an authenticator that provides verifier impersonation resistance — the same device MAY fulfill both these requirements.”

This is of course a very high overview, and there are a lot of…um…minutiae that go into each of these definitions. If you’re interested in that further detail, please read section 4 of NIST Special Publication 800-63B for yourself.

Which authenticator assurance level should you use?

NIST has provided a handy dandy AAL decision flowchart in section 6.2 of NIST Special Publication 800-63-3, similar to the IAL decision flowchart in section 6.1 that I reproduced earlier. If you go through the flowchart, you can decide whether you need AAL1, AAL2, or the very high AAL3.

The AAL CYOA from https://pages.nist.gov/800-63-3/sp800-63-3.html#63Sec6-Figure2.

One of the key questions is the question flagged as 2, “Are you making personal data accessible?” The answer to this question in the flowchart moves you between AAL2 (if personal data is made accessible) and AAL1 (if it isn’t).

So what?

Do the different authenticator assurance levels provide any true benefits, or are they just items in a government agency’s technical check-off list?

Perhaps the better question to ask is this: what happens if the WRONG person obtains access to the data?

  • Could the fraudster cause financial loss to a government agency?
  • Threaten personal safety?
  • Commit civil or criminal violations?
  • Or, most frightening to agency heads who could be fired at any time, could the fraudster damage an agency’s reputation?

If some or all of these are true, then a high authenticator assurance level is VERY beneficial.

Age Assurance Meets Identity Assurance (Level 2)

I’ve talked about age verification and age estimation here and elsewhere. And I’ve also talked about Identity Assurance Level 2. But I’ve never discussed both simultaneously until now.

I belatedly read this March 2024 article that describes Georgia’s proposed bill to regulate access to material deemed harmful to minors.

A minor in Georgia (named Jimmy Carter) in the 1920s, before computers allowed access to adult material. From National Park Service, https://www.nps.gov/jica/learn/historyculture/early-life.htm.

The Georgia bill explicitly mentions Identity Assurance Level 2.

Under the bill, the age verification methods would have to meet or exceed the National Institute of Standards and Technology’s Identity Assurance Level 2 standard.

So if you think you can use Login.gov to access a porn website, think again.

There’s also a mention of mobile driver’s licenses, albeit without a corresponding mention of the ISO/IEC 18013-5:2021.

Specifically mentioned in the bill text is “digitized identification cards,” described as “a data file available on a mobile device with connectivity to the internet that contains all of the data elements visible on the face and back of a driver’s license or identification card.”

So digital identity is becoming more important for online access, as long as certain standards are met.