| What: | Office of Management and Budget memo “E-Authentication Guidance for Federal Agencies” |
| When: | Dec. 16, 2003 |
| Why it matters: | The memo directed agencies to ensure secure and trustworthy online transactions. Agencies have made plenty of progress, but still struggle with the issue today amid evolving cyber threats and AI-inflated fraud risks. |
Politics
‘E-authentication’ memo puts the focus on secure, usable digital identity
(Justin note: Still figuring out potential photos/multimedia)
Like many federal technology initiatives from the early aughts, the Bush administration’s “e-authentication” push can be viewed in retrospect as both forward leaning and, more than 20 years later, very outdated.
The December 2003 “e-authentication” memo from the Office of Management and Budget pushed agencies to manage the secure access to online services. Amid a broad push to open up access to a digital government, the memo ensured agencies also focused on security and privacy.
“I do think in a lot of ways, the government did lead the way in projecting what was required to defend against the threats as we saw at that moment in time,” Jordan Burris, former chief of staff to the federal chief information officer and vice president of public sector solutions at identity security firm Socure, said in an interview.
In the decades since the 2003 memo, however, identity management has become exponentially more complex and difficult, as the demand for digital services — whether internal to the workforce or public facing — has skyrocketed.
Identity management technologies have evolving rapidly. But cyber attackers and fraudsters alike are taking advantages of gaps and lapses in identity management to steal data and money. Adversaries are already using artificial intelligence to supercharge their attacks using AI-aided phishing, deep fakes and more.
Meanwhile, agencies and organizations of all types have struggled to keep pace with the threats, according to Jeremy Grant, the former director of the National Strategy for Trusted Identities in Cyberspace and coordinator of the Better Identity Coalition.
“Over the last 10 years, I’d argue that government writ large has been looking at this issue a lot less strategically and proactively than it should be,” Grant said.
The one constant in the digital identity challenge has been the tension between access and security.
“It really sits at that center point of your user’s experience and the security and the protection that you’re able to provide,” Ryan Galluzzo, the National Institute of Standards and Technology’s digital identity program lead, said in a recent interview with Federal News Network. “So it has this very unique blend of people need to be able to use it, and particularly if you’re public facing, you need to be able to make sure it’s supporting the broader population of users that you have, but it also needs to be deployed in a way that supports security.”
Leaning forward on identity
In Grant’s view, the government’s online identity management push got going during the Clinton administration, when the Defense Department piloted the first “smart cards,” leading to the adoption of the Common Access Card (CAC).
The General Services Administration also had a smart card program office to ensure the civilian side of government could take advantage of the technology.
“This is really promising technology to start to transform government and start to digitize a lot of paper-based processes,” Grant said of the thinking at the time.
The 2003 e-authentication memo, meanwhile, came amid the “e-government” push during the Bush administration. It directed agencies to take a risk management approach to authenticating the identity of online users, whether they be a federal employee accessing an internal system or a member of the public seeking access to an online government service.
“The administration is committed to reducing the paperwork burden on citizens and businesses, and improving government response time to citizens — from weeks down to minutes,” then-OMB Director Joshua Bolten wrote in the memo. “To achieve these goals, citizens need to be able to access government services quickly and easily by using the Internet. This guidance document addresses those federal government services accomplished using the Internet online, instead of on paper. To make sure that online government services are secure and protect privacy, some type of identity verification or authentication is needed.”
Burris said the government was “leaning in” at a time to address online identity infrastructure strategically.
“We had to stop thinking as much in a siloed manner as was being done with every agency kind of doing it for themselves,” he said.
The memo led to multiple major identity developments, including the first version of what would become NIST’s digital identity guidelines.
It also helped accelerate the adoption of federal public key infrastructure and the now ubiquitous Personal Identity Verification (PIV) card under Homeland Security Presidential Directive-12 signed in 2004.
While those latter developments helped agencies ensure the identity security of their enterprise workforce, the Obama administration started to look more toward public facing identity strategies as part of the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Grant, who led the NSTIC program at NIST from 2011 to 2015, said the goal was to establish a national vision for security identity at a time when the digital economy was expanding rapidly.
“It laid out a very forward leaning vision of what the country should look to do on digital identity that relied heavily on partnering with the private sector to solve it, but it was also, bluntly, way ahead of where the market was at the time,” Grant said.
The NSTIC funded multiple projects to advance secure online transactions, especially to reduce the reliance on usernames and passwords. The initiative bolstered an emerging identity security industry that offered new tools for users to secure their online accounts and organizations to secure their enterprise networks.
The NSTIC also launched a project that would eventually lead to Login.gov, a single sign-on service that has garnered both plaudits and controversy. But like with “e-authentication,” the goal was to streamline access to online services by providing citizens with one login option for multiple agencies.
COVID fraud and AI
Under the Trump administration, agencies continued to deepen their digital modernization efforts. OMB sparked another governmentwide push to modernize identity management under a 2019 memo, “Enabling Mission Delivery through Improved Identity, Credential, and Access Management.”
Burris, who served as chief of staff to the federal CIO at the time, said the goal was to update several outdated policies and facilitate “continuous modernization” of identity, credential and access management systems.
“We wanted to also make sure that we were assigning ownership responsibility to the right organizations to say, ‘Hey, you have a key role in moving the conversation forward,’” Burris said. “We had to have that pinwheel for innovation, making sure that with that guidance, we weren’t getting in the way of what needed to come next. Because there was a vision of what a modern government would look like from an identity standpoint. And if we didn’t at least clean up the policy framework for it, which is effectively what we did with [the memo], we wouldn’t be able to pivot to what came next, like the push to zero trust.”
Indeed, the federal government would continue the push to “zero trust” cybersecurity under a 2022 Biden administration policy. Strong identity management practices are central to the zero trust concept, as hackers have long abused stolen identities and credentials to pull off devastating cyber attacks.
But the issue of online identity is also now wrapped up in the debate around public benefits fraud.
When agencies rushed to make federal aid available online during the COVID-19 pandemic, fraudsters pounced, using stolen identities and other techniques to steal an estimated $280 billion in relief funding.
Hackers and fraudsters alike are harvesting personal information available for purchase over the dark web to pull off their attacks. Artificial intelligence is also helping them supercharge their identity-based exploits. Generative AI, deep fakes, and automation are all helping make an already bad problem even worse.
“There’s an arms race that’s taking place where nation state actors are leveraging AI in order to disrupt benefits,” Burris said. “They’re using it in order to impersonate good people, whether you look at it from a deep fake standpoint, or just the scale of automation for collecting and using [personally identifiable information] in order to attack any single threaded view.”
Under the Biden administration, the monumental challenges sparked some ripples of support and progress. The 2022 zero trust strategy pushed agencies to adopt strong identity management technologies, particularly for their workforces.
And the 2023 National Cybersecurity Strategy set a strategic objective to “support development of an identity ecosystem.” But subsequent implementation plans for the strategy made little mention of that objective. According to Grant, the objective got bogged down by infighting over an executive order on fraud that never materialized.
Meanwhile, the Trump administration’s approach to digital identity management is still unclear.
While Elon Musk’s “Department of Government Efficiency” has made rooting out fraud a central pillar of its mission, Grant’s Better Identity Coalition wrote DOGE in January, urging it to take a broader view.
The administration has a chance to take “decisive action that will not only address government benefits fraud but also give Americans tools that they can use to better protect themselves everywhere they do business online,” the coalition wrote.
Grant argues digital identity is an issue of national security and a part of modern critical infrastructure.
“At a time when digital identity threats are becoming more pervasive, and when every one of what we would consider peer countries across the globe has a strategy and plan to elevate it as a national priority, we don’t have any vision at the national level of what good looks like and how to get there, or what bad might look like in terms of bad outcomes with digital identity,” Grant said.
Amid the fast-moving technological landscape, digital identity experts are watching a landmark update to NIST’s digital identity guidelines. The guidelines spelled out in Special Publication 800-63 are mandatory for federal agencies and are closely followed by industry.
NIST’s Galluzzo said his team hopes to have the final revisions out by the end of 2025.
The draft revisions to the guidelines account for emerging digital wallet and verifiable credential technologies, such as mobile driver’s licenses. They include performance requirements for biometric technologies, like facial recognition. And they focus on fraud prevention and phishing-resistant multifactor authentication, among many other areas.
“Any technology that can start to consolidate a smooth user experience with increased security is, I think, the kind of thing that can show a lot of value and gain a lot of traction,” Galluzzo said. “It’s why we’re so interested in things like passkeys and FIDO authenticators, as well as things like mobile wallets and the credentials that reside inside them, because they really do focus on bringing those two components together.”
NIST officials are also testing out standards for things like mobile driver’s licenses through the agency’s National Cybersecurity Center of Excellence. The focus is on public-private sector use cases for financial, government and healthcare purposes.
In many ways, the 2003 “e-authentication” memo’s focus on facilitating secure access continues to this day.
“Wherever you can find that nexus of secure and usable, I think is a really interesting innovation point for the overall industry, as well as for folks like us who are looking to help standardize those things and make sure they’re interoperable and make sure they are providing a consistent degree of protection, as well as that usability,” Galluzzo said.
The post ‘E-authentication’ memo puts the focus on secure, usable digital identity first appeared on Federal News Network.
