CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

U.S. government plans online ID gateway

Citizens and businesses would have their identities certified for online applications ranging from reserving a campground to selling parts to a government agency.

The federal government is working on a plan that would require citizens and business to pass through one central online gateway when they need to get their identities certified with the federal government.

The General Services Administration (GSA) is expected to release a request for information as early as this week in preparation for coming up with a detailed technical proposal. A prototype system is scheduled to launch by the end of September.

The GSA is working with Mitretek Systems, a nonprofit research and engineering company, to develop the prototype system, which will serve as a "proof-of-concept" for the full-scale gateway.

Much of the discussion around centralized government authentication has focused on national IDs. But the e-authentication system is not intended to serve as an offline identifier. Rather, it's meant to be a one-stop online shop for people and businesses to establish their identities with the federal government. The applications could range from something as minor as reserving a campground space in a federal park to a contractor selling parts to a government agency.

The gateway would be attached to the FirstGov Web site, which is intended to be an entryway to all manner of government services.

"Initially the number of users and applications may be limited, at least until the full scalability of the gateway is assured, but ultimately, all federal agencies with e-government processes requiring authentication will be able to use the E-Authentication gateway," Steve Timchak, program manager for the e-authentication joint program management team at the GSA said last month.

Currently government agencies use a patchwork of systems to authenticate users. Many agencies do not use any online verification, instead requiring companies and consumers to verify their identities through physical means, such as showing a drivers' license or presenting a signed, notarized document.

The online push
There have been several efforts to move this process online. One push was the Government Paperwork Elimination Act of 1998, which mandated government agencies to make services available electronically by 2003. To process services electronically, of course, you have to have some means of establishing who you're dealing with.

The current administration has pushed for the new central gateway as part of President Bush's 24 e-government initiatives, a broad plan intended to "improve the efficiency and effectiveness of the federal government's transactions through the use of improved technology," according to the Office of Management and Budget.

There has already been significant work in setting up online authentication. A group of nearly two dozen government agencies formed the Federal Public Key Infrastructure Steering Committee to oversee and help develop a public key infrastructure to support electronic commerce and messaging within the government.

Instead of establishing a single federal PKI program, in June of last year, the Federal PKI Steering Committee opened the Federal Bridge Certification Authority, a hub designed to help different agencies' public key infrastructures to interoperate, allowing one agency to accept a public key certificate issued by another agency.

Currently the General Services Administration oversees the Access Certificates for Electronic Services program, which allows government agencies to buy service contracts from major PKI vendors including AT&T and Digital Signature Trust.

The forthcoming gateway would work with the PKI programs in place, Timchak said. The current problems that the authentication team is working on deal with how to set up "less-than-PKI" levels of clearance.

"I'm looking at what's out there between no authentication required and not-strong authentication (required)," he said. E-loans would probably require strong authentication, but recreation requests, like reserving a campground at Yellowstone, probably wouldn't, he said.

Citizens using either application would go through the same central gateway, he said. And by linking everything through that gateway "that burden and associated costs is no longer born by that application, and that agency," he said.

Efficiency vs. privacy
While combining various authentication schemes under one roof should help the government cut costs and speed transactions, it does pose other problems, including privacy issues. A major concern of electronic privacy advocates is that the more linked the data becomes, the easier it will be for the government to track the data and profile users based upon it, said Chris Hoofnagle, legislative counsel at the Electronic Privacy Information Center.

Such systems have a way of expanding their roles. Because users can be authenticated, they will be authenticated, whether the security really calls for it or not, he said.

"We've had a strong tradition in the U.S. of allowing anonymous access to records. You can walk into the Library of Congress and ask for a book or record without revealing who you are," he said. "Authentication systems can change that."

Timchak said the GSA has been working the Social Security Administration and its privacy forums to help understand those concerns.

Other groups have expressed concern about the government's possible use of online ID systems from private companies such as Microsoft, Entrust, RSA Security and VeriSign, among others, in its online efforts.

Timchak said the government hasn't decided on a specific technical plan.

The new gateway might also allow certificates issued by non-governmental trusted authorities, such as financial institutions, to be accepted. In cases where strong authentication is not required, such as the campground example, the authentication could be as simple as getting a PIN and password from an Internet service provider (ISP).

"What is the value of an ISP-furnished PIN and password? On the surface not much," Timchak said. "But if the user has been paying on that with a credit card, then that PIN and password has more value. And different applications may further challenge the user (to get stronger identification).

"The idea is, to provide a common service you will have one credential, whatever that is, to do business with the government," Timchak said. "If you are strongly credentialed, say, with PKI, then you have access to every application. If you are less-than-strongly credentialed, you have access to a subset of applications. But it's one central place that handles both."