How agencies can balance a good customer experience with the need for a lot of security
The best listening experience is on Chrome, Firefox, or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The more complex and demanded federal online services become, the more difficult it is to provide both a good customer experience and good security. A study commissioned by TransUnion highlights the need for agencies to improve their game here. Federal Drive with Tom Temin got more from Stuart Levy, senior director of public sector identity at TransUnion.
Tom Temin: Mr. Levy, nice to have you.
Stuart Levy: Thanks, Tom, for having me.
Tom Temin: Tell us what you were watching. You have asked the Ponemon Institute to conduct surveys of federal entities. Tell us about the investigation and what you discovered?
Stuart Levy: Well, we’ve noticed quite a bit over the last year because UI has had its own challenges. And we were interested to know what other agencies are seeing. And if they were somehow correlated with what we encountered, we were concerned that user experience and anti-fraud strategies were valid or not.
Tom Temin: And what have you discovered? Are they valid or not valid or how do agencies generally fare with all this set of issues?
Stuart Levy: Yes, we have found that agencies are in desperate need of resources to tackle account takeover vectors, fraud vectors, and are also using advanced strategies such as artificial intelligence to pull key insights from massive volumes. of data that can be used to detect fraud in the future.
Tom Temin: In other words, the government is getting more and more into the business of voters having accounts with different agencies, almost like the commercial sector, and therefore, they must have the same level of assurance of the identity of the person accessing this service, that this account is really that person. Is that a good way to put it?
Stuart Levy: This is a great way to put it. Agencies have turned to the document authentication strategy, which works and it’s a great technology. But it doesn’t always work. And that presents challenges from a user experience perspective. So we’ve found that it’s useful to look at the risk base for the identity in question, the person trying to log in and create an account for themselves and spend the money where there is. really have problems with identity fraud, and maybe save some money where there are fewer challenges.
Tom Temin: And what are the best contemporary techniques for doing it? Because clearly all agencies, I think, understand that username and password are desperately too few to do good cybersecurity. And in fact, the White House has now highlighted the push towards multi-factor authentication for any normal connection. So what do best practices look like these days?
Stuart Levy: For the account registration process, the federal government and standards used today point directly to the document authentication approach. But when that – in your opinion, when it doesn’t work well, knowledge-based questions can be considered and there are new technologies that allow us to look at the ownership of a device and a phone number and where we can correlate the attributes. Then maybe we can send a one-time password to this device and then verify the identity in this way. And maybe this account is reviewed and inspected further?
Tom Temin: As you pointed out, something I should have understood is that there are two parts to this whole question. One is the establishment of the account in the first place. And especially with accounts like IRS or Social Security, people want to do it before someone else does it on their behalf. And then once the account is verified and established, make sure that when people visit that account, they are who they say they are.
Stuart Levy: Yeah, there is definitely that. And then, to prevent account takeover, protecting that account with multi-factor authentication, and the emerging standards that come with it, like the FIDO2 standard, are things I think the government should pay attention to.
Tom Temin: And is the FIDO2 standard?
Stuart Levy: A password-less approach endorsed by the World Wide Web Consortium. TransUnion and our competitors have similar technologies and capabilities, but they have yet to be widely deployed.
Tom Temin: We chat with Stuart Levy, the senior director of public sector identity at TransUnion. And those types of factors, other than the password – again, what’s the latest state of the art for this? Because before you would ask the questions you wanted to be asked later, and it was, in fact, like having a second password, because it had to have the precise question and the precise way. you initially grasped the able to overcome this question of challenge. But we’ve gone beyond that whole paradigm now, haven’t we?
Stuart Levy: Well, you are referring to pre-recorded knowledge. Pre-recorded knowledge is a strategy agencies often use to reset passwords or make critical changes to an account, such as a bank account number, and redirect funds to a new bank account. Keep in mind that there are obviously risks associated with this. Pre-check in knowledge were those questions that were usually free text in response, and users tended to not remember those answers. So we come in with the knowledge that they should have just because of who they are and the knowledge that a credit reporting agency has about the consumer. This is for critical changes. Second, for continuous login authentication, there are several strategies available today that are covered by NIST standards to perform multi-factor authentication.
Tom Temin: So what does this look like for the incoming client, so if you are not using the standard username password, but something under FIDO, what do they encounter?
Stuart Levy: Well, they’ve got to have a device, and that device has to be near the computer they’re using. And an encrypted digital key is installed on this device when it first activates it for FIDO2 standard.
Tom Temin: In other words, do you need a smartphone to be able to get the code to enter?
Stuart Levy: Yes, but there are browser plugins available if you don’t have a cell phone either. As long as you own a device and have proven your identity on that device, not only can we detect fraud on that device to begin with, but the FIDO2 standard will allow continuous login access without a password.
Tom Temin: Understood, so people may not have smartphones, there are parts of the population where a smartphone and the account associated with it may be financially out of reach. But maybe they can have a flip phone? They still sell them. Would these people still have the same rights and privileges?
Stuart Levy: Exactly.
Tom Temin: And what about the economy in the arrangement of these different systems?
Stuart Levy: Well, the costliest part is deploying an identity stack to get started. And then using a managed service from a credit bureau like ours, followed by ongoing maintenance and ongoing authentication, usually very, very inexpensively. The most expensive, but very valuable aspect is the continuous review of how the system is working, and ensuring that the fraud is taken care of and that the appropriate strategies are in place, and providing the right kind. experience for users.
Tom Temin: Are there any specific agencies that people should check out that are good at it?
Stuart Levy: There are large, very, very experienced agencies facing government that have gotten very good at it today. Theirs, [Centers of Medicare & Medicaid Services], Ministry of Education for [Free Application for Federal Student Aid] processes are all very good at providing and paying attention to user experience and doing their best to detect and prevent fraud.
Tom Temin: Stuart Levy is Senior Director of Public Sector Identity at TransUnion. Thank you very much for joining me.
Stuart Levy: Thank you for.