Tell me who are you? (Who are you? Who, who, who, who?)
’Cause I really want to know (Who are you? Who, who, who, who?)
—PETE TOWNSHEND
There is no doubt that over time, people are going to rely less and less on passwords,” the CEO of Microsoft told the crowd assembled at RSA.
With that, Microsoft announced that it was working with the cybersecurity firm RSA to roll out its SecurID technology on the Windows platform. Internally, Microsoft was moving to a “smart-card system” and testing a “biometric ID-card” that would allow facial, iris, and retina recognition as a means to grant access to computing resources.
Of course, this was all in 2004. Bill Gates was still Microsoft’s CEO. To his credit, and contrary to legend, he never suggested that passwords would go the way of the dodo, only that we would rely on them less. What Gates was proposing then was two-factor authentication, or even multifactor authentication: your password and a card with some sort of biometric data on it. You would type in your password, stick in your card, and the computer would read the biometric data and match it with the biometrics you were presenting (your fingerprint, iris, etc.).
The obstacles were numerous. Many people did not like giving up their biometrics. The reader devices were unreliable. Users lost their cards a lot. Implementation was expensive. And in the end, users still had to remember a password.
And so the password did not die. It procreated. Today there are some ninety billion passwords in use around the globe, and that number is growing. By corporate policy and with enough prodding from the tech media, people are creating more, not fewer passwords. Password-manager applications, such as Dashlane, 1Password, and LastPass, make it relatively easy to create and remember unique and difficult-to-break passwords. Application-specific passwords are automatically generated in the background by many applications, and the primary form of authentication for the growing number of smart devices is still the password.
When Gates made his speech in 2004, the available alternatives to passwords were awkward. They introduced friction into the user experience and did not always work. Requiring the same card to access a building and to use a computer caused problems when people forgot to take them out of their computers when they left the office to go to the bathroom or the cafeteria, something no amount of scolding could fix.
At about the same time, the federal government made a similar move. President Bush signed Homeland Security Presidential Directive 12 in August 2004, which called for federal government agencies to issue smart cards for both physical access (opening doors and getting through security) and logical access (gaining access to computers). The directive gave agencies a generous fourteen months to implement the program. A decade later, data reported to Congress showed that only 62 percent of federal employees had been issued and were using the smart-card technology. Redoubling efforts after the breach at the Office of Personnel Management, federal agencies finally hit the target of 85 percent coverage in the fiscal year that began in October 2016.
The governments’ misfire on implementation did not inspire the private sector to move to smart cards for password replacement or augmentation. Simply put, these technologies were too hard to implement and too difficult to use. A few years after Gates’s 2004 speech, however, a new technology emerged that people almost never are without because they almost never put it down: the smartphone.
The first iPhone hit the market on June 29, 2007. The first Android phones would come out a little over a year later. These devices would quickly address many of the problems that people had with other tools used for multifactor authentication. They could be used to receive text messages containing secondary security codes. When fingerprint readers started to become widely adopted by smartphone makers around 2013, smartphones could then be used to meet the trifecta for multifactor authentication: 1) something you have (the smartphone itself, registered to you); 2) something you know (still the good old password or a one-time number sent to your phone); and 3) something you are (a fingerprint or, now, your face with the integration of facial recognition software). Companies such as Okta and Duo, now darlings of Wall Street for their successful IPOs, make implementing and using multifactor authentication on smartphones for multisite single sign-on relatively simple.
Yet, for all these technical advances, adoption has been slow and may even be stalled out. Although Microsoft makes two-factor authentication freely available to its customers, an independent survey recently reported that only 20 percent of subscribers to Microsoft’s Office 365 suite of productivity applications are using any form of multifactor authentication. Surveys of other platforms have found similar results. As we have noted, upwards of 80 percent of data breaches still involve weak or stolen passwords.
While the most sophisticated adversaries are not going to give up and go home if they run into a second authentication factor, many lower-level criminals clearly would be forced to move on to other, softer targets. While multifactor authentication may be costly to implement and add friction to the user experience, it is even more annoying to adversaries. There is likely no other technical solution that would do as much to frustrate attackers, increase the skill level necessary to carry out attacks, or slow down attackers. Yet no amount of imploring seems to move the needle on multifactor authentication.
The problem of passwords won’t go away until some combination of two things happen: multifactor authentication without a password is forced on companies and their customers, or multifactor authentication becomes something that takes place seamlessly in the background. On the first front, we are starting to see more companies make the push. Banks, which are financially responsible should cyber criminals drain your bank account, have all the incentive they now need to require the use of two-factor authentication. Many are adopting “push” models that don’t require users to do anything to set up two-factor authentication. Banks validate your phone number in the background and then send a text message with a one-time code you must enter to log in to your account.
Of course, there are multiple ways criminals can capture a text message and use it to log in to an account, from compromising the underlying SS7 telephone network to compromising the phones or computers that receive the text messages. So, what Google, Duo, ThreatMetrix, and the Department of Defense are each separately working on is taking multifactor authentication well beyond three factors.
Using advanced analytics, these efforts can take dozens or even hundreds of factors to make decisions about granting an individual access to computing resources. As these technologies come to fruition, getting access to your accounts may only involve tapping on an app or clicking on a log-in button while data analytics go to work in the background to check whether the device you are using is the same one you used last time, whether your location makes sense, whether your typing speed as you shift from uppercase to lowercase is consistent with the pattern established on you over time, and a host of other factors.
Moreover, authentication is becoming something of a sliding scale instead of a simple yes-no, binary decision. Once you are allowed inside a network and using your account, behavior out of pattern will get flagged and you will then be asked for additional verification. If, for instance, you are not in the habit of transferring money to Poland, you may get a prompt to enter a password or a call might even be placed to your phone with a live human operator, who may ask you questions, such as about your prior use of your account.
All these measures are likely to make the password, as Bill Gates predicted, less central to the authentication process. And there may even be some hope for a passwordless future. Jim Routh at Aetna is in the process of eliminating passwords for his twenty-million-plus subscribers using Trusona, a passwordless authentication app. That just leaves one huge problem: validating the true identity of the account owner.
People who work on identity management like to draw distinctions among “authentication,” “authorization,” and “identification.” The solutions Bill Gates talked about in 2004, smart cards and tokens, are authorization solutions that give or deny access to restricted accounts and computer resources. Okta, Duo, and other multifactor solutions are also authorization solutions. They are asking, is the individual (or device) requesting permission to access this system presenting the required information and executing the required actions? If so, they grant access. If not, they don’t. What they do not do is affirm that you are, in fact, you.
Validating that your email address is assigned to you is not something that Okta does. That’s the responsibility of the HR department, and for that they require you to bring in your passport and driver’s license. Your bank may require you to do the same when you open an account, or answer challenge questions online based on information that credit bureaus have collected about you. These are what is known as “identity-proofing” events, where you prove that you are in fact you, establishing a unique identity.
The problem is that these events are one-offs for individual accounts. There is, as of yet, no way to assert your identity (and keep anyone else from asserting your identity) across the internet. And that is what allows for a host of ills, from Social Security and insurance fraud to fake social media accounts that manipulate elections. If multifactor authentication would frustrate adversaries in carrying out attacks, making it harder to steal identities and therefore benefit from cybercrime, it could take away the motivation in the first place.
We already have the means to use a single identity across multiple internet platforms, what is called federated identity. Facebook, Google, and others have used the fact that almost everyone has an account at one, the other, or both to insert themselves into the authorization process for a host of sites (“Sign in with Google” buttons seem to be almost everywhere). But neither Google nor Facebook actually know who you are, so their ability to authenticate you as you is only as strong as the information you provided to them when you registered your accounts. While both companies are making some attempts to validate new accounts by checking names against provided phone numbers and then texting those phone numbers, criminals have proven adept at beating these systems. Burner phones make it all too easy for criminals to hide their identity.
The lack of an ability to prove who you are on the internet is a long-recognized but seemingly intractable problem. When identity proofing is needed online, almost all websites rely on the tried-and-failed method of validating historical information about you. With your address, your phone number, your date of birth, and your Social Security number, you can file your tax return. So can anyone else with that information, leading to almost six hundred thousand cases of fraud in 2017.
The same goes for insurance fraud, new account fraud, and a host of other cybercrimes that deprive the government of tax revenue, drive up the price of insurance, and cost the economy billions. Despite these losses, it’s a problem that the market just cannot seem to fix. That is where, typically, government should step in.
One of the first initiatives launched by the Obama administration to address our cyber insecurities was the National Strategy for Trusted Identities in Cyberspace (NSTIC). As the administration’s first senior director for cybersecurity, Sameer Bhalotra spearheaded the effort. He was joined by Jeremy Grant, who ran the NSTIC program office from its inception in 2011 until he left in 2015.
Oftentimes, government bureaucrats are charged with a failure of imagination and with a lack of ambition. Those charges do not apply to the team that put together the NSTIC strategy. The document is visionary. It literally contains little vignettes to get you to “Envision It!” in which Mary, or another fictitious person, uses her new online credential to do the kinds of transactions we can’t easily do today online, such as close a mortgage. Always wary of government overreach, particularly on issues of individual privacy, the Obama team did not propose the obvious answer of a government-issued ID card with a digital chip. Anyone who remembers the fight over REAL ID, a Bush administration effort to get states to issue secure driver’s licenses, should be able to imagine why. Americans have a reflexive distrust of federal requirements for identification. Nothing is more un-American than restricting movement, as the Soviets did with their ubiquitous requests for “Papers, please.”
Instead of going with a national ID card, the NSTIC team took a market-based approach that would give consumers choices about whom they used to obtain a trusted digital identity for use online. The strategy envisioned a host of potential providers, companies that ranged from banks to ISPs to independent identity providers. Despite a solid strategy, there were two problems that the NSTIC team could not solve: initial validation of users through an in-person proofing event and getting companies to pay to use the new identities.
The NSTIC team tried to sell the Postal Service on doing the identity proofing. There are 4,800 post offices throughout the country that already process passport applications, including the necessary in-person proofing. Bhalotra met with the Postmaster General and tried to sell him on the idea. He thought it was a no-brainer, because the post office is already performing this service for passports and is desperate to find new sources of revenue given the decline in traditional mail brought about by the digital economy. He figured this was an easy sell. It wasn’t. The prospects were too remote and the mission too far from the core Postal Service mission of delivering the mail.
The second challenge was getting anyone to adopt the use of the new secure identities and mandate that their employees or customers use them. Bhalotra thought that the banks would be natural allies as they already need to authenticate customers for account opening and spend tremendous amounts battling fraud. It was a hard sell there as well. He tried to stimulate demand by getting federal agencies to be the early adopters. Unfortunately, he got no takers from the IRS, State, DHS, or HHS, the major agencies that interact with citizens in ways that require identity proofing. Going direct to consumers also was a nonstarter, because no one in the venture-capital community thought people wanted to pay for this service.
None of this, of course, means the approach was wrong. Particularly in government, there is no force more powerful than an idea whose time has come. In 2011, the technologies were insufficiently mature and the need for the solution was less apparent. In 2019, when almost every American has been made a victim of identity theft, it is well past time to put in place the solutions that the NSTIC developed and piloted.
For his part, Jeremy Grant has not given up. Now a member of the technology consulting team at a law firm, he is actively pursuing many of the concepts he helped to develop in government from his position in the private sector. Grant has helped bring together JPMorgan, Bank of America, Wells Fargo, and Citibank, among others, to form the Better Identity Coalition. Their idea is to create a public-public-private partnership building on the states’ divisions of motor vehicles (DMV) driver’s-license databases and the Social Security Administration’s files.
The banks recognize that the DMVs do a pretty good job of in-person interviews and requiring multiple forms of proof of identity. True, there are counterfeit driver’s licenses, but when you check DMV databases, you can usually tell that the license was never issued by the DMV. Social Security, for all of the faults associated with its number and card system, is pretty good at registering when someone dies, as is the Department of Veterans Affairs. Because a common criminal technique is to assume the identity of someone who has passed away, access to death records would help identify fraudulent identity activity.
One problem, however, is that most state DMV agencies do not have the highest level of cybersecurity on their own networks. If criminals and intelligence officers can hack into the DMV database and alter it, using the DMV as a source of verification may not be a good idea. Thus, the banks are seeking federal grants to help the states improve their cybersecurity. Until that happens, the DMVs may not be the solution. At best, they are a surrogate for a national ID card system, something that has proven politically unpalatable on both the right and left in the United States for decades. Yet we have been able to find workable solutions that address privacy and civil-liberties concerns while improving identity with a simple concept: letting people opt in.
Nobody has to fly, but it does make work and personal travel a lot easier. After 9/11, it got harder. Americans wanted to be sure that the other people on the plane with them were trustworthy, not terrorists. So there was not a lot of complaining when the government stepped in and put federal employees at the airports, asking to see your identification. Not any identification would do. It had to be a government-issued document that was hard to counterfeit. State governments were told what security standards they had to incorporate into their driver’s licenses, and after some grumbling, they almost all complied.
This system, however, created long lines. So two innovations occurred, one public and one a public-private partnership. The TSA created TSA PreCheck for people who were willing to fill out forms, go through a background check, have their biometrics registered, be photographed, and be entered into a federal database. TSA also authorized a private company, CLEAR, to manage a parallel system of authenticating travelers with a combination of your boarding pass, an iris scan or fingerprints, and a picture of you.
When you use CLEAR, you engage in multifactor authentication. You have used things you know to get the boarding pass. Then that boarding pass becomes things you have. Finally, your biometrics and photograph are things you are. No one has forced you to use CLEAR. In fact, you had to pay for it. A similar incentive system exists with E-ZPass toll-paying devices on cars.
Americans have accepted these systems, which can serve as valuable models for incentivizing the implementation of stronger authentication systems in other industries. We can use similar principles in creating secure online identities. We can use a certain degree of government compulsion. We can partner with private-sector companies. People who choose not to participate in optional additional background checks and identification would still be served, but they would be subject to more examination and given slower service.
Building on the lessons from NSTIC and how identity is handled in other industries, we propose a new authentication system to ensure a higher degree of identity protection and replace outdated identifiers like Social Security numbers. Because it would require a combination of nudges and shoves, ReallyU would have to be authorized by Congress. Yes, Republicans and Democrats would have to play nicely together, at least on this one law.
The law would authorize private companies that met certain standards to issue ReallyU identities for use in online interactions with both the government and corporations. On an opt-in basis, you could choose from any number of approved companies to serve as your identity service provider. You would then go through an identity-proofing process that included being interviewed on-site, presenting valid government identification, giving biometric data, and being photographed. You could also provide an email address, mobile phone number, and credit card or other banking information if you chose to do so.
Then, the ReallyU provider would do a background check to verify that you are who you say you are. In that process, they would have access to some government databases. Maybe your provider would be Google (they know everything about you anyway); maybe Apple (if they make your phone); maybe Verizon (or whoever your costly cell provider is); maybe Mastercard or Visa through your bank (you get the idea). These providers would then be paid each time they validated your identity to a third party to, say, open a bank account or access your IRS record.
Each ReallyU provider could create their own federated identity network, much like Mastercard and Visa have created their own parallel payment networks that include a heavy dose of identity checking. Government agencies should be made by law to accept any one of the approved federated identity networks for online transactions. Companies doing online commerce could choose which ReallyU providers they wanted to honor.
Something along these lines would give us a system of online identification that would not be the equivalent of a national ID card because it would not be managed by the federal government and it would be voluntary, not required. Beyond a light touch of regulation, the government’s main role would be to help create the market by making federal agencies that require proof of identity accept it and provide various kinds of preferential service to ReallyU members.
Once you had a ReallyU identity, you could use it to identify yourself to any company or government agency that was part of the federated network. The government agencies involved would include the IRS, Social Security, Medicare, Veterans Affairs, and federal employee retirement systems. They could also continue to accept their previously existing systems.
If you used the ReallyU system, each company and government agency could interrogate a federated database to learn about you when you logged in to use it. They could then require you to prove your identity in any number of different ways, based on a variety of two-factor or multifactor systems, including face identification (via a smartphone or camera on your laptop), fingerprint, iris scan, or one-time message sent to your mobile phone or email. In the background, the system would be checking your location, the device you were using, and other observables, the same way ThreatMetrix does now for many banks and other financial institutions.
As a consumer, you could switch identity providers whenever you want. You might pick based on security or reputation or a preexisting relationship. You might opt to pay for the service and gain more control or choose a service that is free (and possibly ad-supported), though we think a better answer is a small per-transaction fee charged to the companies that are requesting an identity-proofing or authentication event. The process for changing providers might need some degree of government regulation, as was necessary to create the phone-number porting system we use today. A light-touch regulatory approach run out of somewhere like the Commerce Department (not a national security agency) would set the right tone.
What would happen to the Social Security number? We could keep it, but only as an identifier, like your name, not as proof of anything. As former DHS cyber official Phil Reitinger tweeted, “An SSN is a fine identifier and an awful authenticator.” The assumption that you, and only you, know your Social Security number is no longer a tenable proposition. Every SSN has probably already been compromised.
So, what do we need the Congress to agree on for all of this to work? We have a short list.
First, Congress needs to direct the U.S. Postal Service and the TSA to offer in-person identity-proofing services, no matter how reluctant the current Postmaster General is. Just as the USPS has competitors in FedEx and UPS, this action won’t give government a monopoly but should stimulate competition. The law should require the Postal Service to partner with private companies to issue and manage the IDs, the IT/tech part of the solution. That is what the private sector, particularly Silicon Valley tech firms and their VC partners, are good at. What they are not good at, managing brick-and-mortar buildings where identity proofing is done by actual people, is what the USPS already does.
Second, Congress needs to direct the Commerce Department’s standards office, NIST, to develop whatever standards they think are necessary for the seamless transfer of identity-proofing data and credential exchange, beyond, if necessary, existing standards.
Third, Congress needs to mandate that key agencies, including the IRS, accept the ReallyU system. (No more e-filing a tax return by answering challenge questions about your last tax return.)
As we have sought to make clear, what we propose is not a novel concept. It builds on ideas and programs that others have developed. We believe we are at a point at which the technology is sufficiently developed and the benefits are now clear. Identity masquerading is necessary for both financial theft by cyber criminals and all sorts of malicious activity inside government and corporate networks by foreign intelligence and military hackers. The theft of personally identifiable information (PII) is one of the most common cybercrimes, and costs companies billions of dollars to prevent. We can greatly reduce all of that by adopting a voluntary system of federated, multifactor identification for online activities. Most criminal uses of PII would no longer work to access credit cards or other financial activities, thus greatly reducing the incentive to steal it.
While all of this would require a new law and some federal standards and support, it would not be a government ID system. It would be an identity system used by companies and individuals who want to protect their identities while benefiting from the digital economy. It is more analogous to our current credit-card system. All of this could be done today with existing technologies, piecing together bits from here and there that have already been proven to work. We just need leadership, will, and people of good faith playing nicely together, including Congress for a quick minute or two.