In a time of heightened security concerns surrounding hacks and breaches, identity and access management (commonly referred to as IAM or IdAM) continues to be a top priority for federal agencies.
Traditionally, agencies have relied on Common Access Cards (CAC) for defense employees and Personal Identification Verification (PIV) cards for civilian counterparts. In order to make mobile productivity a reality within the public sector, we are seeing many agencies look at adopting a derived credentials approach.
As various agencies look at adopting derived credentials for internal use, they are also looking at other authentication methods for external use. Most recently, in late August 2015, the Department of Homeland Security (DHS) released its vision for biometric capabilities. The vision includes three components: enhance effectiveness of subject identification; transform identity operations to optimize performance; and refine processes and policies to promote innovation.
While DHS is not yet utilizing biometrics as part of its internal IAM strategy, it is harnessing the technology for external subject identification via its Automated Biometrics Identification System with the aim of ensuring national security and public safety.
While the agency’s progress and innovation is a step in the right direction for harnessing biometrics, its true potential will be realized when the technology is used internally as an additional factor within DHS’s overall IAM solution. Could a derived credential protected by a biometric template be a compelling two-factor alternative? Possibly – but there is still work to be done.
Federal agencies today require proprietary devices with specific readers to support biometrics – an expensive process that lacks the user-friendly capabilities many desire. As IT executives continue to move toward utilizing consumer technology, government employees will be able to simply use the embedded technology on the device for biometric authentication, such as the camera for a retina scan or the microphone for voice recognition.
From a mobility perspective, one of the most important aspects to the future of biometrics (or any other factor) when it comes to authentication will be to move away from the monolithic approach of embedding authentication middleware.
Today, mobile authentication solutions are tightly coupled with proprietary middleware, which is typically embedded in the mobile application that supports it. This approach causes scalability and future innovation issues because mobile application developers must build multiple versions of their apps to support a wide range of middleware and hardware vendors.
Additionally, every time a hardware or middleware update is needed, the developer for each app will need to release a new version to support it. If agencies instead implemented a framework to support the application ecosystem, multiple hardware/middleware vendors can be supported using an abstraction layer, creating a plug-and-play approach. This will result in competition which helps drive cost down and drive innovation up!
Above all else, in order to support innovation and reach the goal of utilizing biometrics for two-factor authentication, it will be imperative for specific guidelines to be set. While the National Institute of Standards and Technology (NIST) has created a biometrics and usability resource, there is still progress to be made on drafting guidelines for agencies to follow when developing pilot programs or looking into implementations. It will be exciting to see how programs, like the external identification use case from DHS, continue to shape the conversation around biometrics.
With pilot programs in place today, the power of biometrics is bound to reshape the way federal agencies look at, and support, two-factor authentication, creating a more secure, mobile and user-friendly workforce.
Eugene Liderman is director of product management, public sector, Good Technology.