Six government agencies were highlighted in a recent GAO report on the need to strengthen online identity verification processes: Centers for Medicare and Medicaid Services (CMS), Government Services Agency (GSA), Internal Revenue Service (IRS), Social Security Administration (SSA), United States Postal Service (USPS) and Veterans Affairs (VA). All used some form of Knowledge Based Authentication (KBA), in order to authenticate the identity of a given individual attempting to access the given agency for services.
Agency responses
GSA and IRS advised the GAO that they had moved away from KBA and were using alternative methodologies for identity proofing. The SSA and USPS noted they intend to do so in the future, but don’t have specific plans. Health and Human Services (HHS) answering on behalf of CMS noted they had no plans to reduce use of KBA for remote identity proofing. While the VA stated they are moving to alternative methods of identity proofing, but still relies on KBA verification.
The VA and KBA
The recent debacle concerning the compromise of PII and subsequent financial attacks which occurred within the defense community by a wayward insider highlights the need for the VA to adjust. The miscreants were able to spoof the DS Logon login protocols because an insider had provided to his criminal compatriots the information necessary to answer the system provided questions which were part of the KBA process.
The VA responded to GAO asking for a directive from the GAO to “respectfully request a recommendation be directed at the VA and DoD to discontinue DS Logon, and consider use of GSA’s login.gov.” Their rational was that DS Logon is controlled by a contractor and they (the VA) can’t reach in and make the necessary adjustments.
For those systems under direct VA control, the VA agreed with the GSA findings and recommendations to move away from KBA.
DS Logon
The contract for DS Logon was competitively awarded in 2017 and non-competitively amended in late-2018. The required tasks were for DS Logon service to support the NIST policy for Two Factor Authentication and One-Time Password, and to update “documentation to support password changes.” As we know, the use of KBA is an integral part of the remote identity authentication process.
We are now in September 2019. The VA has been stung and their DS Logon system successfully gamed to the detriment of its users.
The good news is the VA knows they have a problem, as evidenced by their request to GAO to provide them with a directive which would allow them to discontinue use of DS Logon. That didn’t happen, as GAO noted it was not in their purview.
The VA took a different step and put remote identity proofing (and the use of KBA) on full-stop. No longer is one able to adjust their account log-in, upgrade their account or reset a forgotten password remotely. Visitors to the log-in portal today are being greeted with the following notice:
The ability to remote proof your identity online is unavailable for an extended period of time. If you need to upgrade your account to premium or reset a forgotten password, you will be required to in-person proof at your local VA Regional Office (VARO). Locations of VAROs may be found online on the VA’s Facilities Locator site at http://www.benefits.va.gov/benefits/offices.asp If you are a dependent of a Sponsor, the Sponsor can upgrade your account by using their CAC.
Authentication without KBA?
Industry has moved beyond KBA, with the FIDO (Fast IDentity Online) Alliance leading the charge. FIDO2 “enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments” without the need for passwords or KBA. Using a methodology called “WebAuthn” which was recognized in early-2019 by the World Wide Web Consortium (W3C). According to the FIDO site, there are more than 300 tested and certified products available to use today.
With availability of solutions at hand, why would any government agency with a public facing engagement with their constituents not adopt FIDO2 solutions and dump the use of passwords and KBA?