Electronic Authentication

Electronic Authentication is the process of establishing confidence in user identities that are presented in online environments. Application developers are often faced with a choice of mechanisms based on a wide variety of technologies to perform local or remote authentication. The use of multifactor authentication (MFA) adds an increased layer of security to transactions by using multiple forms of eAuth mechanisms during a transaction.

Electronic Authentication in the United States

Electronic Authentication and NSTIC

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a White House initiative developed to catalyze the marketplace for secure credentials—so we can choose from a variety of credentials to use for online transactions that are more secure, convenient, and privacy-enhancing than passwords. NSTIC has a broad charge: the creation of an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”

The National Strategy for Trusted Identities in Cyberspace (NSTIC) helps individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation.

The NSTIC calls for a “vibrant Identity Ecosystem” where identity solutions adhere to four Guiding Principles:

• Identity solutions will be privacy-enhancing and voluntary
• Identity solutions will be secure and resilient
• Identity solutions will be interoperable
• Identity solutions will be cost-effective and easy to use

Electronic Authentication Guideline

NIST Special Publication (SP) 800-63 was released in 2006 to complement OMB Memorandum M-04-04. M-04-04 specifies four levels of assurance (LOA) that agencies must select from based on a detailed risk assessment of the potential harm that may come as a result of authentication failure. 800-63 specifically provides the technical and procedural requirements that agencies can implement to meet the LOA requirements of online services.

Future of Online Transactions

A White House Executive Order (October, 2014), Improving the Security of Consumer Financial Transactions, calls for “all agencies making personal data accessible to citizens through digital applications” to “require the use of multiple factors of authentication and an effective identity proofing process.” Working toward this Executive Order will ultimately enable citizens to better engage with federal agencies and will increase the security, privacy, and convenience of online transactions.

Text of the White House Executive Order

Given that identity crimes, including credit, debit, and other payment card fraud, continue to be a risk to U.S. economic activity, and given the economic consequences of data breaches, the United States must take further action to enhance the security of data in the financial marketplace. While the U.S. Government’s credit, debit, and other payment card programs already include protections against fraud, the Government must further strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system.

By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to improve the security of consumer financial transactions in both the private and public sectors, it is hereby ordered as follows:

Section 1. Secure Government Payments. In order to strengthen data security and thereby better protect citizens doing business with the Government, executive departments and agencies (agencies) shall, as soon as possible, transition payment processing terminals and credit, debit, and other payment cards to employ enhanced security features, including chip-and-PIN technology. In determining enhanced security features to employ, agencies shall consider relevant voluntary consensus standards and specifications, as appropriate, consistent with the National Technology Transfer and Advancement Act of 1995 and Office of Management and Budget Circular A-119.

(a) The Secretary of the Treasury shall take necessary steps to ensure that payment processing terminals acquired by agencies through the Department of the Treasury or through alternative means authorized by the Department of the Treasury have enhanced security features. No later than January 1, 2015, all new payment processing terminals acquired in these ways shall include hardware necessary to support such enhanced security features. By January 1, 2015, the Department of the Treasury shall develop a plan for agencies to install enabling software that supports enhanced security features.

(b) The Administrator of General Services shall take necessary steps to ensure that credit, debit, and other payment cards provided through General Services Administration (GSA) contracts have enhanced security features, and shall begin replacing credit, debit, and other payment cards without enhanced security features no later than January 1, 2015.

(c) The Secretary of the Treasury shall take necessary steps to ensure that Direct Express prepaid debit cards for administering Government benefits have enhanced security features, and by January 1, 2015, the Department of the Treasury shall develop a plan for the replacement of Direct Express prepaid debit cards without enhanced security features.

(d) By January 1, 2015, other agencies with credit, debit, and other payment card programs shall provide to the Office of Management and Budget (OMB) plans for ensuring that their credit, debit, and other payment cards have enhanced security features.

(e) Nothing in this order shall be construed to preclude agencies from adopting additional standards or upgrading to more effective technology and standards to improve the security of consumer financial transactions as technologies and threats evolve.

Sec. 2. Improved Identity Theft Remediation. To reduce the burden on consumers who have been victims of identity theft, including by substantially reducing the amount of time necessary for a consumer to remediate typical incidents:

(a) by February 15, 2015, the Attorney General, in coordination with the Secretary of Homeland Security, shall issue guidance to promote regular submissions, as appropriate and permitted by law, by Federal law enforcement agencies of compromised credentials to the National Cyber-Forensics and Training Alliance’s Internet Fraud Alert System;

(b) the Department of Justice, the Department of Commerce, and the Social Security Administration shall identify all publicly available agency resources for victims of identity theft, and shall provide to the Federal Trade Commission (FTC) information about such resources no later than March 15, 2015, with updates thereafter as necessary. These agencies shall work in consultation with the FTC to streamline these resources and consolidate them wherever possible at the FTC’s public website, IdentityTheft.gov; and

(c) OMB and GSA shall assist the FTC in enhancing the functionality of IdentityTheft.gov, including by coordinating with the credit bureaus to streamline the reporting and remediation process with credit bureaus’ systems to the extent feasible, and in making the enhanced site available to the public by May 15, 2015.

Sec. 3. Securing Federal Transactions Online. To help ensure that sensitive data are shared only with the appropriate person or people, within 90 days of the date of this order, the National Security Council staff, the Office of Science and Technology Policy, and OMB shall present to the President a plan, consistent with the guidance set forth in the 2011 National Strategy for Trusted Identities in Cyberspace, to ensure that all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate. Within 18 months of the date of this order, relevant agencies shall complete any required implementation steps set forth in the plan prepared pursuant to this section.

Sec. 4. General Provisions. (a) This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(b) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law to an executive department, agency, or the head thereof; or

(ii) the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.