Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Federal Agencies Still Using Knowledge-Based Identity Verification

Some U.S. government agencies still rely on knowledge-based identity verification despite the fact that this system has been easy to beat following the massive data breaches suffered by the Office of Personnel Management (OPM) and Equifax

Some U.S. government agencies still rely on knowledge-based identity verification despite the fact that this system has been easy to beat following the massive data breaches suffered by the Office of Personnel Management (OPM) and Equifax

Federal agencies use remote identity proofing to verify that individuals who apply online for benefits and services are who they claim to be. This process can involve a knowledge-based verification process conducted by consumer reporting agencies such as Equifax. The applicant is asked to answer a personal question based on information held in their credit file and if their response is correct, their identity is verified.

Until a few years ago, it was assumed that only the true owner of the identity could answer these questions correctly. However, due to the 2015 breach of OPM and the 2017 breach of Equifax, which resulted in the exposure of personal information for hundreds of millions of individuals, anyone in possession of this compromised data can easily answer the questions.

Guidance issued by the National Institute of Standards and Technology (NIST) in 2017 prohibits agencies from using knowledge-based verification for sensitive applications and recommends alternative methods, such as a remote assessment of physical credentials (e.g. asking the individual to send over a photo of their driver’s license), or verification through cell phone services. The Office of Management and Budget (OMB) is also developing guidance on identity management.

The Government Accountability Office (GAO) has conducted an assessment of six federal agencies: the General Services Administration (GSA), the Internal Revenue Service (IRS), the United States Postal Service (USPS), Centers for Medicare and Medicaid Services (CMS), the Social Security Administration (SSA), and the Department of Veterans Affairs (VA).

A report published recently by the GAO shows that the IRS and GSA completely scrapped knowledge-based verification and started using other methods for their Login.gov and Get Transcript services. VA has started using other methods, but still relies on the old technique for some people.

On the other hand, USPS and SSA intend on reducing or eliminating the use of knowledge-based verification, but don’t have specific plans for it, and CMS has no plans at all for replacing current identity proofing systems.

“Several officials cited reasons for not adopting alternative methods, including high costs and implementation challenges for certain segments of the public,” GAO said in its report. “For example, mobile device verification may not always be viable because not all applicants possess mobile devices that can be used to verify their identities.Nevertheless, until these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud.”

Advertisement. Scroll to continue reading.

One of the problems, GAO concluded, is that the OMB and NIST guidance is not sufficient. It believes NIST should provide more information, including on the advantages and limitations of the available technologies, and recommendations on which systems should be adopted, along with a clear direction for implementing alternatives. However, NIST believes its guidance is comprehensive and does not plan on issuing additional information.

GAO also believes OMB should require agencies to report on their progress in adopting more secure identity proofing practices. The guidance OMB is developing does not currently include such requirements.

Related: TSA Lacks Cybersecurity Expertise to Manage Pipeline Security Program

Related: GAO Makes Recommendations to Improve Security of Taxpayer Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.