The more complex and in demand online federal services become, the more difficult it is to offer both a good customer experience and effective security. A recent Ponemon Institute study commissioned by TransUnion points to the need for agencies to improve these efforts. TransUnion’s Stuart Levy, Senior Director of Identity, Public Sector, sat down with Tom Temlin on the Federal Drive on Federal News Network to discuss. Click the link below to listen to the podcast.
For more details on our Public Sector fraud study – Building Trusted Online Government Services — click here.
Tom Temin: Mr. Levy, good to have you on.
Stuart Levy: Thanks, Tom, for having me.
Tom Temin: Tell us what you were looking at. You listed the Ponemon Institute to do some survey work among federal entities. Tell us about the survey and what you discovered?
Stuart Levy: Well, we’ve noticed quite a few things over the past year as unemployment insurance has had its own challenges. And we were interested to know what other agencies are seeing. And if they kind of correlated to what we came across, we were concerned about user experience and anti-fraud strategies being valid or not valid.
Tom Temin: And what did you find out? Are they valid or not valid or how are agencies generally doing with respect to that whole complex of problems?
Stuart Levy: Yeah, we found that agencies are in desperate need for resources to combat account takeover vectors, fraud vectors, and also use advanced strategies like artificial intelligence to pull in key insights from massive volumes of data that can be used to detect fraud in the future.
Tom Temin: In other words, the government is getting more and more into the business of constituents having accounts with different agencies, almost like the commercial sector, and therefore they need to have the same level of assurance of the ID of the person accessing that service, that that account really is that person. Is that a good way to put it?
Stuart Levy: That’s a great way to put it. Agencies have been moving towards the document authentication strategy, which works and it’s a great technology. But it doesn’t always work. And it presents challenges from a user experience perspective. So we found that it’s useful to look at the risk basis for the identity that’s in question, the person that’s trying to connect and create an account for themselves and to spend the money where there really are identity fraud challenges, and maybe save a little bit of money where there are fewer challenges.
Tom Temin: And what are the best contemporary techniques for doing that? Because clearly, agencies all, I think, understand that the username and password is hopelessly too little to do good cybersecurity. And in fact, the White House has now underscored the push toward multifactor authentication for just any normal log on. So what is best practice look like these days?
Stuart Levy: For the account registration process, federal government and the standards that are used today directly point towards the document authentication approach. But when that – to your point, when that does not work well, knowledge-based questions are something that can be considered and there are new technologies that allow us to look at the ownership of a device and a telephone number and where we can correlate attributes. Then perhaps we can send a one-time passcode to that device, and then verify identity in that way. And maybe that account gets reviewed and further inspected?
Tom Temin: As you pointed out, something I should have realized in that is there are two parts to this whole question. One is the establishment of the account in the first place. And especially with accounts like IRS or Social Security, people want to do it before someone else does it in their name. And then once the account is verified, and established, then assuring that when people visit that account, they are who they say they are.
Stuart Levy: Yeah, there’s definitely that. And then to prevent account takeover, protecting that account with multifactor authentication, and emerging standards that are coming out of that, like the FIDO2 standard, are things that I think government should be paying attention to.
Tom Temin: And the FIDO2 standard is?
Stuart Levy: A password lessapproach that’s been approved by the World Wide Web Consortium. TransUnion and our competitors have technologies and capabilities that approach that but it hasn’t been broadly deployed yet.
Tom Temin: We are speaking with Stuart Levy, the senior director of Public Sector Identity at TransUnion. And those types of factors, other than password – again, what’s the latest state of the art for that? Because it used to be that you would put in questions you wanted to be asked later, and that was, in effect, like having a second password, because he had to have the precise question and the precise way you originally entered the password to be able to get past that challenge question. But we’re past that whole paradigm now, aren’t we?
Stuart Levy: Well, you’re referring to pre-registered knowledge. Pre-registered knowledge is a strategy that agencies often use to reset passwords, or make critical changes to an account like a bank account number, and redirecting funds to a new bank account. Remember, there’s obviously risks associated with doing that. The pre-register knowledge were those questions that were usually freeform text in response, and users tend not to remember those answers. So we come into play with knowledge that they should have just because of who they are, and knowledge that a credit reporting agency has on the consumer. That’s for critical changes. Then for the ongoing login authentication there are multiple strategies available today that are covered by NIST standards to do multifactor authentication.
Tom Temin: So how does it look to the incoming customer then if you’re not using the standard username password, but something under FIDO, what do they encounter?
Stuart Levy: Well, they have to have a device and that device has to be in a proximity to the computer that they’re using. And there’s a encrypted digital key that is installed on that device when they first activate it for the FIDO2 standard.
Tom Temin: In other words, you need a smartphone to be able to get the code to get yourself in?
Stuart Levy: You do but there are browser plugins if you don’t have a cell phone as well. As long as you have possession of a device, and you’ve proven your identity on that device, not only can we detect fraud on that device to begin with, but the FIDO2 standard will allow for ongoing login access without a password.
Tom Temin: Got it, so people may not have a smartphone, there are parts of the population where a smartphone and the account associated with it might be financially out of reach. But maybe they can have a flip phone? They still sell those. Those people would still have the same rights and privileges?
Stuart Levy: Exactly.
Tom Temin: And what about the economics to the agency of these various systems?
Stuart Levy: Well, the most expensive part is deploying an identity stack to begin with. And then employing a managed service from a credit reporting agency such as ourselves, followed by the ongoing maintenance and ongoing authentication, generally very, very inexpensive. The more expensive aspect, but very valid aspect is ongoing review for how the system is performing, and making sure that fraud is being attended to and the proper strategies are in place, and providing the right kind of experience for the users.
Tom Temin: Any agencies in particular that people should check out that are good at this?
Stuart Levy: There are very, very experienced large government-facing agencies that have gotten quite good at this today. The IRS, [Centers of Medicare & Medicaid Services], Department of Education for the [Free Application for Federal Student Aid] process are all very good at providing and paying attention to user experience and doing their best to detect and prevent fraud.
Tom Temin: Stuart Levy is senior director of Public Sector Identity at TransUnion. Thanks so much for joining me.
Stuart Levy: Thanks for having me.