The Case for a Government Industry Standard for Identity Assurance

Civix Experts Share a Vision for This Essential Step in Advancement of GovTech

ORLANDO, FL – The vast majority of Americans go online to connect with people and services, shop, get news, pay bills, and so much more. And while the public sector has made great strides in catching up to this explosion in online activity, there is much to be done. One of the most significant barriers preventing the public sector from providing citizens with the full capabilities of digital services is identity assurance.

Proving one’s digital identity is, to put it plainly, difficult. And the process for proving someone is who they claim to be is rife with opportunities for fraudsters to successfully impersonate someone. The stakes are especially high in the public sector because of the data involved, such as personal protected information, voter rolls, business filings, public assistance, and the like.

Identity assurance forces a user to first establish his or her identity to ensure that digital systems aren’t being misused. Unfortunately, identity assurance is notoriously difficult to achieve.

“It’s still a bit of the Wild West when it comes to identity assurance,” says Mike Wons, the president of Civix Government, the division that provides software to state and local governments. “It’s the biggest issue standing in the way of the future adoption of tech.”

The team at Civix sees the solution as an identity assurance that is common across the public sector. Currently, NIST Digital Identity Guidelines provide technical requirements for federal agencies implementing digital identity services, but not so for state and local systems. The result is a gap between federal standards and those for other governmental agencies.  

A common government identity assurance program would improve user experience and enable the public sector to improve efficiency, reduce costs, expand access to services, prevent fraud, build trust, and unlock potential in their economies.

“Identity assurance is an industry-wide challenge, and the solution should be collaborative,” said Wons. “The goal of the public sector should be a single sign-in solution through which all the disparate services and functions of agencies come together in one seamless user experience. An ideal scenario would allow citizens to create, use and reuse digital identities across public sector services.”

That goal speaks to the relationship between identity assurance and identity authorization. Assurance determines if an applicant is who they say they are. If they meet this threshold, then they become a registered user with login credentials. Authentication relies on additional data that is difficult to produce, except by that specific person, to re-enter the system with those login credentials.

For both assurance and authentication, what’s clear is that protecting personal information with “what you know” is no longer good enough because so much of that information is accessible online.  Civix Chief Information Security Officer Calvin Simmons says combining “what you know” (like PIN numbers) with “what you have” (like smartcards or tokens) provides another layer of protection. Still another layer is “what you are,” which is provided through biometrics – an area where much government technology is headed.

“People are already using fingerprints to log into their laptops and facial recognition to open their phones. And since biometric technology is here and being embraced, it can be a valuable option for public sector identity assurance programs,” Simmons said.

While most in the public sector rely on (or should be relying on) multifactor authentication, Civix is urging for the adoption of randomized multifactor authentication. Through this model, the forms of identity assurance and authentication are randomized based on factors such as the applicant’s location, the point in time, the level of sensitivity, and even the applicant’s “identity score,” among others. The fact that the pattern of questions cannot be predicted is the basis for its success.

Ultimately, identity assurance and authentication rely on additional data that is difficult to produce, except by that specific person. For example, applicants could be asked to select the correct answer from multiple choice questions such as, “which of the following addresses have you been affiliated with?” or “what was the color, make and model of your automobile in 2010?”

To power this high level of verification, Civix partners with Equifax and Experian to rapidly authenticate the identity of applicants based on definitive data sources. Civix most recently leveraged its relationship with Equifax to upgrade the State of Virginia’s identity verification service. Other states using the service includes Indiana.

Civix VP of DevOps Tod Ewasko says, “Building identity assurance presents a technology challenge to easily allow an authorized user access without discouraging access with additional steps.”

That point is no more important than in elections. Unlike government business services, where agencies may want to fend off attacks from the get-go, election officials must aim to make voting processes as accessible as possible.

Thelma Van, Civix’s Director of Products and one of the chief architects of its new Intelligent Voter Information System (IVIS), frames the issue this way: “state officials are facing problems with the ability to verify identities of citizens registering to vote online. Personal information entered by a non-registered voter for registration is often perceived as information that can be stolen by bad actors.”

“The current registration process makes it difficult to effectively verify identities, and public perception around the online voter registration exacerbates the concern” says Van. “But advances in technology and the volumes of information available work in our favor.”

Van’s product team, responsible for developing the new Intelligent Voter Information System being introduced to election officials across the country, addresses and solves those problems by tapping into the substantial experience of her team.

Civix elections management applications are used in 17 states and more than 1,000 jurisdictions ­– and helped successfully manage more than 50 million voters in the 2020 general election.

The solutions that Civix is developing for elections provides an improved identity assurance experience. It prevents fraudulent online voter registration by identifying suspicious voter applications and providing state officials with a real-time identity score that gives an insight into suspicious patterns. They can use this score to help determine whether the registering voter is who they claim to be.

The system uses various risk-based authentication tools to calculate identity scores from the information entered by the registering voter. These scores also have method codes which act as an explanation behind each identity score. Clients will be able to view these scores on their dashboard or access them as a list. The product complies with all levels of the NIST 800-63 digital identity guidelines.

While getting to a single government standard for identity assurance is and will continue to be an ongoing challenge, Civix developers are using their extensive experience to provide state and local agencies better identity assurance solutions now. These solutions will not only provide enhanced user experience and security, they provide peace of mind to all – especially as it relates to critical citizen interactions.