The document discusses user authentication technologies used by the US federal government. It outlines policies like HSPD-12 that mandate authentication standards and describes NIST standards for different assurance levels. PKI and one-time passwords are the primary technologies, with PKI providing additional security capabilities. Level 3 assurance is a common target level. Symantec provides both PKI and OTP cloud services to help government agencies meet requirements.

1. Symantec Government Technology Summit
User Authentication for Government
20 March 2012
Nick Piazzola
Sr. Director, Government
Authentication Solutions
Nick_Piazzola@symantec.com
443-604-4069

2. E-Authentication in the Federal Government
Players: President, OMB, Federal CIO/CIO Council, FICAM
Policies/Mandates:
• HSPD-12
• OMB: M-04-04, M-07-16, M-11-11
• Federal CIO Memo
Technical Standards:
• FIPS 201
• FIPS 199
• NIST SP 800-63-1
Implementation Standards/Guidance:
• Federal PKI Certificate Policy
• Trust Frameworks (Non-PKI)

3. OMB M-04-04 E-Authentication Guidance
 Electronic authentication (E-Authentication) is the process of
establishing confidence in identities presented remotely over an
open network to an information system.
 OMB M-04-04 defines four levels of identity assurance for electronic
transactions requiring authentication, where the required level of
assurance is defined in terms of the consequences of authentication
errors and the misuse of credentials.
 Level 1 – Little or no confidence in the asserted identity
 Level 2 - Some confidence in the asserted identity
 Level 3 - High confidence in the asserted identity
 Level 4 - Very high confidence in the asserted identity

4. OMB M-04-04 E-Authentication Guidance
• Requires agencies to review new and existing electronic transactions to
ensure that authentication processes provide the appropriate level of
assurance.
1. Conduct a risk assessment of the e-government system.
2. Map identified risks to the applicable assurance level.
3. Select technology based on e-authentication technical guidance.
4. Validate that the implemented system has achieved the required
assurance level.
5. Periodically reassess the system to determine technology refresh
requirements.

5. Maximum Potential Impacts
FIPS 199 Risk/Impact Profiles Assurance Level Impact
Profiles
Potential Impact Categories for
1 2 3 4
Authentication Errors
Inconvenience, distress or damage to standing or Low Mod Mod High
reputation
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High
Unauthorized release of sensitive information N/A Low Mod High
Personal Safety N/A N/A Low Mod
High
Civil or criminal violations N/A Low Mod High

6. NIST Special Publication SP 800-63-1
Electronic Authentication Guideline
• Provides technical guidelines for Federal agencies implementing
electronic authentication.
• Defines electronic authentication (e-authentication) as the process of
establishing confidence in identities electronically presented to an
information system.
• Applies to remote electronic authentication of users over open
networks.
• Defines four levels of increasing assurance: Levels 1,2,3,4 and the
threats to be mitigated at each of these levels.
• Defines technical requirements in the areas of identity proofing,
registration, tokens, management processes, authentication
protocols and related assertions.

7. Strong Authentication
A Combination of Two or More Authentication Factors
Something You Know Something You Have Something You Are
Username/Passwords Hardware OTP Token
Mother’s Maiden Name Fingerprint
Digital Certificate
Transaction History Iris Pattern
Smart Card

8. E-Authentication Assurance Levels (OMB M-04-04)
HSPD-12 PIV Card
Increased Strength
Multi-Factor Token
PKI/ Digital Signature
Biometrics
One-Time Password Very
High
Knowledge-Based
High
PIN/User ID Medium
Low
Access to Applying Obtaining Employee
for a Loan Govt. Screening
Protected
Website Online Benefits for a High
Risk Job
Increased Need for Identity Assurance

9. User Authentication Product Family
Public Key Infrastructure Symantec Identity Protection Fraud Detection Service
Rules Eng. Behavior Eng.
RISK SCORE
PKI service issues certificates Shared cloud-based two-factor
for strong authentication, authentication solution offering Risk-Based authentication and
encryption and digital signing multiple token choices software-based fraud detection
Government Enterprise
eCommerce Financial Services

10. Symantec Solutions for Authentication
OTP Card
SMS and Voice
Browser
Toolbar
OTP Tokens Mobile OTP
OTP
USB PKI Tokens
Smartcards
Strong
Authentication
Digital (User and Site)
Certificates SSL Cert
Secure Seal
VIP Fraud Detection Service
VeriSign® Identity Protection Network
(fraud intelligence and shared authentication)

11. What PKI Enables…
• Prevent unauthorized access
Strong through enhanced authentication
Authentication
• Primary integration points: Web applications,
remote access, desktop logon, and wireless
• Provides data integrity and enable non-
Digital
repudiation for electronic transactions
Signatures • Primary integration points: Email, Adobe,
and custom applications
• Protect sensitive information whether
data is in transit or at rest
Encryption
• Primary integration points: Email, disk,
file/folder, and databases

12. Managed PKI Services for the Public Sector
– Federal Shared Service Provider PKI Enables Federal agencies
to comply with HSPD-12. VeriSign SSP PKI services and Card
Management System are certified and on the GSA FIPS-201
Approved Products List (APL)
– Non-Federal Shared Service Provider PKI Enterprise PKI for
any organization needing interoperability with the Federal
government. Provides interoperability with the Federal PKI at
multiple assurance levels through cross-certification with the
Federal Bridge Certification Authority (FBCA).
– ECA Certificates Enable organizations, contractors and
individuals to securely communicate with Federal, state and
local government agencies.

13. Non-Federal SSP PKI Customers
U.S. Government
– U.S. Nuclear Regulatory Commission
– U.S. Senate
– Dept of State (Millennium Challenge Corporation)
State Government
– State of Kansas
– State of Colorado
– State of California (CA Prison Healthcare Systems)
– State of Virginia (Fairfax County Government)
Universities
– University of Houston
Government Contractors
– Booz Allen & Hamilton -General Dynamics
– Noblis (Mitretek) -Dyncorp

14. Symantec Validation and ID Protection
User with Enterprise VIP Authentication
Symantec VIP Service
Token
Consumer Portal,
Business Partner
Extranet
Government Network

15. Symantec Authentication Solution Strategy
Directory/ Federal Bridge
Trusted Agency OCSP Certification Authority
Notary Agent RA Validation
Services
Federal/ Application Enabling
Non- Federal Services
SSP PKI
Identity -authentication gateway
Proofing
-credential verification
Services
Levels 2/3/4 -single sign-on (SSO)
VIP OTP
Credentialing
Services
VIP
Online KBA Existing Commercial Validation
Services Credential Proofing Service
Service

16. Symantec/Experian Two Factor Authentication Solution
Symantec
Experian Symantec OTP
OTP Token
Precise ID Authentication
(NIST 800-63-1 Level 3)
Service
User Online Government
Application
1. NIST Level 3 Remote Identity Proofing using Experian Precise ID.
2. Multiple form-factors for OTP tokens for multiple platforms.
3. Two-Factor Authentication with PIN, OTP and in-the-cloud validation service.

17. Summary
• The two primary user authentication technologies in use today are PKI and
OTP. Symantec delivers/supports both of these for government customers
via cloud services.
• While both PKI and OTP are used for e-authentication, only PKI can deliver a
full suite of security services including confidentiality, integrity and non-
repudiation.
• OTP solutions are more likely to be used for remote access and external
constituent access to government services because of their reduced cost and
complexity.
• NIST SP 800-63-1 Level 3 assurance is the target for most applications
involving personally identifiable information and/or valuable transactions.
• Experian and Symantec have collaborated to provide a suite of integrated
identity proofing and authentication services that supports NIST SP 800-63-1.
• In the future government agencies are expected to transition from being
providers of credentials to accepting identity credentials issued by external
identity providers.