E-authentication nears the starting gate

Federal e-government projects ultimately will be only as good as their authentication—the guarantee that users and transactions are secure.For the Office of Management and Budget’s Quicksilver initiatives, the guarantor is the E-Authentication Gateway, which is entering the last stages of development.Project manager Stephen Timchak said he expects the General Services Administration to solicit bids for a production version of the gateway this fall and establish full operations by March.The gateway, which began initial operation last fall, provides the 24 other Quicksilver initiatives a common path for authenticating users of online government applications.[IMGCAP(2)] Agencies that supply electronic services to citizens, contractors and other agencies need servers on the back end to recognize who is accessing the applications from the front end. This requires authentication—a system for verifying the identifying credentials. They can be simple passwords or personal identification numbers, or digital certificates stored on tokens, hard drives or browsers.“There is typically a 1-to-1 relationship between the credential and the application it’s designed for,” Timchak said.As the number of applications grows, managing individual credentials becomes burdensome, for both users and owners of the applications. So GSA is working to break that 1-to-1 ratio and get government out of the business of issuing and managing credentials.“To the maximum extent possible, we want citizens to use credentials that have been issued by the private sector,” Timchak said. One credential should be acceptable to multiple applications.To make this a reality, the E-Authentication Gateway will act as a central clearinghouse for credentials submitted online to e-government applications.[IMGCAP(3)] Adrian Fish, deputy e-authentication program director at GSA, said the gateway is only one piece of the authentication puzzle. Agencies must have policies for application use, risk levels have to be assessed for each type of transaction, and assurance levels have to be assigned to each type of credential being evaluated.In designing the gateway, the technology came last, Timchak said.“Everybody thinks it’s about technology, and it’s not,” he said. “The key to making it successful is cross-agency collaboration.”But that doesn’t mean that a lot of thought has not gone into the technology.“The technology is a challenge because it is all proprietary,” Timchak said. “There is no standards-based interoperability.”Work on the gateway began in February 2001, when the E-Authentication Program Management Office got together with OMB’s e-government leaders to establish a mission and set of goals. The E-Authentication Gateway had an advantage over similar projects because it has a built-in customer base, Timchak said.“A lot of gateway initiatives have failed or taken a long time to get going because they didn’t have applications,” he said.The E-Authentication Gateway was developed for a specific set of applications, which are being fielded with the idea that they will use the gateway.The gateway achieved initial operating capability last September, and in April the team completed certification and accreditation, getting the green light to operate in a live environment. It currently runs on a server hosted by Mitretek Systems Inc. of Falls Church, Va.Users at a Web page for an online service are prompted to enter user name, password or PIN, or submit a digital certificate, depending on the requirements of that application, said Stephen P. Sill, application manager in the E-Gov Program Office.[IMGCAP(4)] “The request is redirected to the gateway,” Sill said. Credentials are checked against the appropriate database by the Certificate Arbitration Module, which lets the gateway determine whether the credentials are valid. The gateway then tells the application if the credential is good.That is the authentication process. Authorization, the decision to allow a user access to an application, is a separate process.“The application decides whether or not to allow access,” Sill said. A password or certificate recognized as valid by the gateway might not be adequate because it is not accepted by the application or does not have the appropriate level of assurance.Policy enforcement interfaces from Netegrity Inc. of Waltham, Mass., Entegrity Solutions Corp. of San Jose, Calif., and Entrust Inc. of Dallas stand between the application server and the gateway. Those vendors were chosen because their identity management products were in use on the e-government applications, Fish said.The products were not designed to work with each other, “but with some additional customization, we’re finding it works,” Timchak said.“What we’re looking for is a way to simplify and unify,” said Brian Doherty, a consultant with SiloSmashers Inc. of Vienna, Va., which is providing IT and management consulting for e-government projects.The gateway now is operating in peer-to-peer mode, authenticating servers rather than individuals for five applications, including a Social Security Administration program to let states identify prison inmates so benefits can be cut off in a timely manner.“We’re still in the infancy of rolling this out,” Timchak said.Maturing the gateway will depend on two things: Policies mapping the needs of each application to the proper level of credential assurance, and interoperable software for the production version of the gateway.To determine the level of assurance required, risk assessments must be done on all applications in the e-gov initiative by Oct. 1. All other online applications requiring authentication must complete the assessment by Sept. 15, 2005.“We’ve developed a tool called the E-Authentication Risk and Requirements Tool Analysis (ERA) in conjunction with Carnegie Mellon University,” Timchak said.ERA is an automated tool that evaluates the level of risk in a transaction.[IMGCAP(5)] “We applied the ERA against not only e-gov applications, but applications that are already up and running, and I think it opened some eyes,” Timchak said. “A lot of information needs to be protected better than it is.”To ensure that information in e-government applications is protected, each application will assign a level of assurance required before it will accept a credential. Those assurance levels still are in the making. OMB has published a draft policy for public comment outlining four levels of assurance, ranging from low, with essentially no confidence, to high, with full assurance.Credentials accepted by the gateway will be mapped to one of the assurance levels, depending on the nature of the credential and how it is issued or created. A user name and password chosen by the user probably would receive the lowest level of assurance, for instance, and a digital certificate issued in person after a background check would receive the highest.The public comment period on the policy closed Aug. 11, and a final policy is expected this month.Standards-based interoperability between apps will be a requirement of the solicitation for the gateway’s production version, Timchak said. The vendors of products currently used in the gateway have announced they will comply with the Security Assertion Markup Language, an Extensible Markup Language framework for exchanging security information, so interoperability appears to be a realistic requirement.“If we are not there yet, and I think we will be, then we are going to have to have an exit strategy to get out of the proprietary world,” Timchak said.