Connect.gov is live in its first phase, but only a few agencies so far have agreed to use the uniform digital credential platform. However, as the service matures and its benefits are realized, ID.me, one of the credential-providing partners on the project, believes that will change.
Founded by two Army Rangers who met at Harvard Business School, ID.me is a digital credential startup based in McLean, Virginia, that began as a company helping veterans, service members and other organizations access benefits tied to their identities online. The business has since matured as part of the National Institute of Standards and Technology’s National Strategy for Trusted Identities in Cyberspace pilot program.
“The NSTIC award effectively helped us to mature our platform and enhance our service to include identity proofing in addition to the attribute verification we’re doing and really kind of filled out the network of relying parties we had consuming our technology,” said Matt Thompson, COO and co-founder of ID.me. The company in August also became one of three — Verizon Communications Inc. and Symantec Corp. are the others — to receive Federal Identity Credential Access Management assurance levels 1-3.
With that foothold in the digital identity space solving credential issues for the veteran and military communities, as well as the NSTIC and FICAM recognitions, the General Services Administration awarded ID.me an 18-month contract to issue digital identity credentials to citizens accessing government resources and benefits through Connect.gov.
“Those same people who have ID.me credentials that they may have used to prove they were eligible for a 10 percent off at [a partnering organization] can access the [Department of Veterans Affairs] and now other agencies that are plugged in to Connect.gov, effectively giving individuals a single credential they could use across multiple use cases across multiple levels of assurance,” Thompson said. “Before Connect.gov, all these agencies were doing siloed identity proofing and issuing you a username and password that only had utility at their websites. And it was a pretty closed ecosystem.”
But in this initial stage, very few agencies have taken to the Connect.gov effort. The Connect.gov website lists only the VA, NIST and the Agriculture Department as relying parties. GSA is acting as the program management office for the project, the Postal Service is providing the technology for the network and NIST is leading the NSTIC framework for credential validity in the ecosystem.
“There’s a limited set of organizations participating in Connect.gov inside the government,” Thompson said. “Our hope is they all see the value of this and get out of the business of identity access management to the extent that they could use a much more efficient process and technology, which is Connect.gov, and at the end of the day, it has a lot more value for the citizens that want access to those applications as well.”
While ID.me is excited that the federal government is taking the lead on pushing this concept to market, ID.me Chief Product Officer Ryan Fox thinks more agencies are perfectly tailored for Connect.gov and need to jump onboard — three in particular: the Social Security Administration, IRS, and the Department of Health and Human Services.
“SSA, IRS and HHS are three large agencies that have large-scale interactions with U.S. residents, and an individual who is interacting with those three agencies today has to identity proof and establish credentials in three different locations,” Fox said. “Should those agencies choose to participate in Connect.gov, they’ll see a reduction in cost and ease of use for their consumers, as well as an offset of liability,” something he said is a wise decision for agencies given the track record for cybersecurity and breeches in government.
In addition to those obvious benefits that come with this type of shared service, Thompson stressed the importance of Connect.gov’s privacy, saying it should be a benefit for citizens using it and agencies hesitant to join.
“There’s a privacy layer in Connect.gov to protect the privacy of the citizen,” he said. “So what that privacy layer does at a high level is it keeps any of the identity providers or credential service providers from seeing what agency the citizen is trying to access. So we don’t know, nor do we really care, that [someone] is trying to access Veterans Affairs. So there’s a blinding mechanism that keeps us from seeing that, and there’s a blinding mechanism that keeps Veterans Affairs from seeing that you’re coming in using ID.me versus any other credential, which they don’t need to see. At the end of the day, they just need to know that it’s you and that you’re identity proofed to the proper level of assurance.”
And for Connect.gov, it “doesn’t see that you’re using a certain credential, that you’re accessing a certain site and they don’t see see your information passing through via encrypted form through the exchange,” Thompson said.
“There’s a lot of distrust of our government around the amount of data and whats being tracked on individuals, and this is actually something that’s being stood up to protect identities and promote privacy,” he said. “The whole digital identity ecosystem is about trust. This whole Connect.gov initiative, which is born out of NSTIC as well, is all about increasing privacy as well as that utility for the credentials.”