The E-Authentication Initiative

E-Authentication: Creating an Environment of Trust

David Temoshok Director, Identity Policy and Management

GSA Office of Governmentwide Policy

The E-Authentication Initiative

2The E-Authentication Initiative

Session Objectives

Identity Federation Basics

Why the Federal Government is federating

Key infrastructure needed for ID Federation

Interoperability and ID Federation

E-Authentication Trust Framework

The Electronic Authentication Partnership and how it facilitates identity federation


The Identity Problem

Individuals have multiple disconnected identities across the internet and other networks, leading to repeated, stand-alone authentications

Costly, insecure, inconvenient

www.401k.comUser ID: 123-45-6789Password: my401k

My.employer.orgUser ID: [email protected]: myjob

www.mytravel.comUser ID: frequentflyerPassword: etravel


Background

Federated identity definition Rules, agreements, standards, technologies that make identity and

entitlements portable across autonomous domains Is critical for rich web services environment

Federated identity technologies and standards PKI – ISO X.509v3 Security Assertion Markup Language – OASIS SAML 1.0, 1.1. 2.0 Lacking standards

• Biometrics• User ID/PIN/Password• Knowledge-based authentication• One-time passwords• Token-based authentication

Federated identity specifications (SAML) Liberty Alliance Shibboleth


Standards Convergence

SAML 1.X - Framework for exchanging security information about a principal: authentication, attributes, authorization information

Liberty ID-FF 1.X – Extend SAML 1.0, 1.1 for federation, SSO, web services

ShibbolethSpecification

LibertySpecifications

OASIS SAML 1.0, 1.1

OASIS Standard SAML 2.0


Factor Token

Very High

High

Medium

Low

Employee Screening for a High Risk Job

Obtaining Govt. Benefits

Applying for a Loan

Online

Access to Protected

Website

PIN/User ID-

Knowledge

Strong Password

-Based

PKI/ Digital Signature

Multi-

Incre

ase

d $

Cost

Increased Need for Identity Assurance

Four Authentication Assurance Levelsto meet multiple risk levels -


President’s Management Agenda

• 1st Priority: Make Government citizen-centered.

• 5 Key Government-wide Initiatives: Strategic Management of Human Capital Competitive Sourcing Improved Financial performance Expanded Electronic Government Budget and Performance Integration


Government to Govt. Internal Effectiveness and Efficiency1. e-Vital (business case) 2. Grants.gov3. Disaster Assistance and Crisis Response4. Geospatial Information One Stop 5. Wireless Networks

1. e-Training 2. Recruitment One Stop3. Enterprise HR Integration 4. e-Travel 5. e-Clearance6. e-Payroll7. Integrated Acquisition8. e-Records Management

PMC E-Gov Agenda

OPMOPMOPMGSAOPMOPMGSANARA

LeadSSAHHS

FEMA

DOI

FEMA

Lead

GSATreasuryDoEDDOILabor

Government to Business1. Federal Asset Sales2. Online Rulemaking Management 3. Simplified and Unified Tax and Wage Reporting4. Consolidated Health Informatics (business case)5. Business Gateway6. Int’l Trade Process Streamlining

Lead GSAEPA

Treasury

HHS

SBADOC

Cross-cutting Infrastructure: eAuthentication GSA

Government to Citizen1. USA Service 2. EZ Tax Filing 3. Online Access for Loans 4. Recreation One Stop5. Eligibility Assistance Online


Key Policy Points

For Governmentwide deployment:

No National ID.

No National unique identifier.

No central registry of personal information, attributes, or authorization privileges.

Different authentication assurance levels are needed for different types of transactions.

And for e-Authentication technical approach:

No single proprietary solution

Deploy multiple COTS products -- users choice

Products must interoperate together

Controls must protect privacy of personal information.


GovernmentsFederal

States/LocalInternational

Higher EducationUniversities

Higher EducationPKI Bridge

HealthcareAmerican Medical Association

Patient Safetty Institute

Travel Industry AirlinesHotels

Car RentalTrusted Traveler Programs

Central Issue with Federated Identity – Who do you Trust?

E-Commerce Industry ISPs

Internet AccountsCredit Bureaus

eBay

Trust Network

Financial Services IndustryHome Banking

Credit/Debit Cards

Absent a National ID and unique National Identifier, the e-Authentication initiative will establish trusted credentials/providers at determined assurance levels.

280 Million AmericansMillions of BusinessesState/local/global Govts


Identity Federation – Key Interoperability Needs

Federation Communications(Technical Interoperability)

Federation Business Relationships(Business Interoperability)

Federation Trust(Policy Interoperability)

Identity Federations extend beyond current peer-peer, bi-lateral agreements to buildcommon infrastructure sharedamong multiple parties.


Federation Infrastructure

• Interoperable Technology (Communications) Determine intra-Federation communication architecture -- protocols Administer common interface specifications, use cases, profiles Ensure interoperability ( as needed) according to the specifications Provide a common portal service (I.e., discovery and interaction services)

• Trust Establish common trust model Administer common identity management/authentication policies for

Federation members

• Business Relationships Establish and administer common business rules Manage relations among relying parties and CSPs Manage compliance/dispute resolution


The Need for Federated Identity Trust and Business Models

Technical issues for sharing identities are being solved, but slowly Federal Interoperability Lab OASIS and Liberty conformance test programs

Trust is critical issue for deployment of federated identity Federated ID networks have strong need for trust assurance standards

• How robust are the identity verification procedures?• How strong is this shared identity? • How secure is the infrastructure?

Common business rules are needed for federated identity to scale N2 bi-lateral trust relationships is not a scalable business process Common business rules are needed to define:

• Trust assurance and credential strength• Roles, responsibilities, of IDPs and relying parties• Liabilities associated with use of 3rd party credentials• Business relationship costs• Privacy requirements for handling Personally Identifiable Information (PII)


E-Authentication Trust Model for Federated Identity

3. Establish technical standards for e-Authentication systems (NIST Special Pub 800-63 Authentication Technical Guidance

1. Establish e-Authenticationrisk and assurance levels (OMB M-04-04 Federal Policy Notice, adopted by EAP

4. Establish methodology for evaluating credentials/providers on assurance criteria (EAP SAC and Federal CAF

2. Establish standard methodology for e-Authentication riskassessment (ERA) 2/04

5. Assess CSPs and maintain trust list of trusted CSPs for govt-wide (and private sector) use 2/04

6. Establish common business rules for use of trusted 3rd-party credentials

7. Test products and implementations for interoperability


The Need for Identity Federation Business Case

However, there must be a clear business case that others can understand

Business opportunity must be meaningful yet realistic Business partners need to understand the business case

The solution must be replicable Start simple, use standard templates, avoid complexity for complexity sake Leverage open standards

Should be clear business case for identity federation for: Financial services industry Health care industry Higher education

“Federated identity is economically inevitable…”Burton Group


Identity Federation Models

Bi-lateral (peer-to- peer)

Hub & Spoke (unilateral)

Circle of Trust (many-to-many)

ID

ID

ID

ID

ID

ID

ID

ID

ID


The Need for the Electronic Authentication PartnershipThe Need for the Electronic Authentication Partnership

State/Local Governments

Industry

Policy• Authentication

• Assurance levels

• Credential Profiles

• Accreditation

• Business Rules

• Privacy Principles

Technology• Adopted schemes

• Common specs

• User Interfaces

• APIs

• Interoperable

COTS products

• Authz support

Federal Government Commercial Trust Assurance Services

Policy, Technical, & Business Interoperability

Common Business and Operating Rules

IDP

IDP

IDP

IDP

RP RP

RP

http://www.eapartnership.org/

Interoperability for:


What is the EAP

• Multi-industry partnership creating a framework for interoperable, trustworthy authentication

Incorporated non-profit association with 60 members Product and technology agnostic

• Goals Provide organizations with a straightforward means of relying on digital

credentials issued by a variety of authentication systems Eliminate or at least reduce the need for organizations to establish

bilateral agreements Facilitate the creation of federations through replicable rules Enable federation-to-federation trust

• In practice this means a federated approach


What the EAP is doing now for ID Federation

Current State of Industry: Bi-Lateral Pairs

IDP

IDP

IDP

SP/RP

SP/RP

SP/RP

Bi-lateral Agreements

Pair-wise Trust Model

Pair-wise Interface Spec and Products

EAP Objective: Multi-Party, Interoperable Federation

IDP

IDP

IDP

IDP

SP/RP SP/RP

SP/RP

Common Business Rules/AgreementsCommon Trust ModelCommon Interface SpecificationInteroperable Products


What the EAP envisions for ID Federation

IDP

IDP

IDP IDP

IDP

IDP

IDP

IDP

IDP

IDP

SP/RP

SP/RP

SP/RP

SP/RP SP/RP

SP/RP

SP/RP

SP/RP

SP/RP

SP/RP

SP/RPEAP Vision:

Multiple, Interoperable Federations

EAPCommon Business Rules/AgreementsCommon Trust ModelsCommon Basic Interface SpecificationsInteroperable Products

Federation 1

Federation 2

Federation 3


For More Information

Phone E-mail David Temoshok 202-208-7655 [email protected]

Websiteshttp://cio.gov/eauthenticationhttp://www.eapartnership.org/

http://cio.gov/fpkipahttp://cio.gov/ficc

The E-Authentication Initiative

Documents