Why governments are ‘particularly well-positioned’ to offer identity validation
According to the National Institute of Standards and Technology, governments that use its guidance to offer attribute validation services may have to rely less often on commercial data for identity.
The federal government has a surprisingly small role in the digital identity space, despite the amount of authoritative personal information it collects.
Right now, many organizations, including government agencies, often rely on credit bureaus and data brokers to help them verify key facts about people, according to Jeremy Grant, managing director of technology business strategy at Venable.
But that could change if government agencies get in the business of "attribute validation,” as outlined in a new draft report from the National Institute of Standards and Technology.
According to NIST, governments could adopt this service to provide other governments or even private institutions like banks with an official source to confirm whether information, like date of birth, submitted by a person matches that authoritative data.
The draft guidance — required under the 2022 Chips and Science Act, but not binding for federal agencies — is open for comments until November 8.
Some agencies do this type of data matching already. The Social Security Administration fields an offering for financial institutions called the Electronic Consent Based Social Security Number Verification service to check names, dates of birth and social security numbers.
The Government Accountability Office released a report on the service last week, detailing SSA’s struggles to meet cost recovery requirements. Although its users say that the service is ultimately helpful, the report also details challenges with its usefulness
An SSA official also told lawmakers last year that the agency intends to offer SSN verification services for federal benefit programs. The agency already provides some data for states to use when determining eligibility for federally funded benefits, helping with voter registration and more.
Governments often have a lot of original data about people, so they are “particularly well-positioned” to offer validation services, the NIST report states.
“In practice, however, these government systems have focused tightly on specific uses of the data related to core business operations, from validating Social Security numbers for payroll purposes to validating taxpayer identification numbers to enable tax filing,” it continues.
“The federal government sometimes relies on credit agencies and third parties to validate or augment its own data holdings,” the NIST report states, calling credit bureaus a “notable source.”
Politico has also reported on how federal agencies use data brokers because of outdated privacy laws.
If governments do start offering more attribute validation services, one effect could be a decreased reliance on “incomplete commercial data” for this type of information, the report suggests.
All of this matters because attribute validation can be a key part of verifying that someone is who they say they are online, in addition to helping with access control required by the cybersecurity zero-trust model and preventing fraud fueled by synthetic identities.
One big benefit of governments doing this type of work is that government data covers people not covered by commercial datasets, NIST says.
“Traditional identity proofing systems can exclude individuals with limited financial or credit histories,” the report states. “By leveraging government data, a federal or state [attribute validation service] can validate core identity attributes for these individuals, helping them gain access to essential resources that otherwise may have been excluded.”
“Ultimately, the intent is to facilitate greater use of government data in a manner that preserves user privacy while also enabling increased equity by decreasing reliance on incomplete commercial data,” NIST states.
The report details the architecture, security, privacy and operational considerations for attribute validation services for government agencies, including how mobile drivers licenses may also play a role in attribute validation.
This type of guidance from NIST is something Grant has been asking for since 2018. He runs the Better Identity Coalition, a trade association focused on digital identity, which called on NIST to develop a framework and rules for government-fielded identity attribute validation services in a 2018 policy blueprint. Before leading the Better Identity Coalition, Grant himself led a group at NIST during the Obama administration called the National Strategy for Trusted Identities in Cyberspace that focused on helping state and local governments and commercial entities partner on digital identity solutions.
In addition to equity, he also pointed to the potential for attribute validation to help combat identity theft if the government agencies housing driver's licenses, birth certificates and other types of authoritative data take this guidance and offer these types of services.
“At a high level, we are seeing attacks from adversaries looking to compromise identity have been ramping up significantly over the last few years,” said Grant. “The ability to move away from some third party sources and be able to go directly to the authoritative source is going to be one tool in the toolkit that’s going to be important in terms of how we start to harden these systems.”