We live in a world where individuals are empowered to make a variety of transactions from the palm of their hands. Sadly, this same world is where those transactions are tested every day with billions of dollars in losses due in large part to the challenges of proving online identity.
The lack of a widely adopted easy, secure, reliable way for entities to verify identities or attributes of people they are dealing with online creates friction in commerce, leads to increased fraud and theft, degrades privacy, and hinders the availability of many services online. While the market has responded with an array of products that aim to address the identity challenge for specific use cases, the tools available are uneven in terms of accuracy and reliability, don’t work well for everyone, and are increasingly coming under attack.
More than $56 billion was stolen as a result of identity fraud in 2020 - an increase of 333% over 2017 numbers. State governments were heavily targeted in attacks to steal pandemic relief dollars; the Federal Trade Commission (FTC) reported an 2,920% increase in identity theft tied to government benefits. And the private sector was hammered as well; the Identity Theft Resource Center reported that data breaches grew 23% from2020 to 2021, with breaches impacting more than 293 million people.
While the statistics may paint a bleak picture there is good news: State governments are perfectly positioned to lead the way in solving these problems! Our recommendations do not purport to solve every challenge in the identity space. Rather, we have focused on a handful of common-sense initiatives that are practical for states to implement and will be meaningful in their impact; the State Policy Blueprint we put forth is squarely focused on making identity systems work better.
Our Blueprint for State Policymakers contains six key initiatives:
- Place the Department of Motor Vehicles(DMV) at the center of state digital identity solutions. Adversaries have caught up with the systems America has used for remote identity proofing and verification. The DMV– as the one government entity where nearly every adult goes through a robust, in-person identity verification process – is ideally positioned to address this problem. States should modernize legacy identity systems and embrace new privacy-protecting mobile Driver’s License (mDL) solutions that empower residents to protect themselves from identity theft in the digital world.
- Establish attribute validation services at vital records bureaus to support next-generation, consumer-centric remote identity proofing and verification systems. Next to DMVs, vital records bureaus are the most important agencies in the state identity ecosystem. In their role of issuing birth certificates, marriage certificates, and death certificates, vital records bureaus are on the front line of identity, and often have critical information that can be used to validate foundational identity information.
- Embrace identity innovation for better services. States need to embrace new technologies to enable a broader array of services for constituents. Specifically, states should pass Remote Online Notarization (RON) laws that would enable a secure, standard approach to virtual notarization services. Additionally, states can complement mDL and other government-based attribute validation services with commercial identity tools that are certified as meeting rigorous NIST standards.
- Make sure identity works for everybody. While state DMVs are the logical starting point for most residents, they don’t work for everybody. Roughly ten percent of adults do not have a driver’s license or state ID, and in many cases, people lack critical identity documents like birth certificates and Social Security cards needed to get one. This particularly impacts the elderly, the poor, as well as survivors of domestic violence and those reentering society after time in prison. As states invest in new digital identity tools, they should also invest in services to ensure that their most vulnerable residents are not left behind.
- Promote and prioritize the use of strong authentication. Passwords continue to provide the attack vector in the majority of breaches and cyber incidents, and some legacy tools used for multi-factor authentication (MFA) are coming under attack as well. State governments should adopt strong phishing-resistant authentication as well as the use of electronic signatures, and update legacy policies that create barriers to the adoption of strong authentication solutions.
- Do no harm. Some states have passed security and privacy legislation that has inadvertently precluded use of some identity security technologies, or mandated non-standard approaches to identity verification or authentication that put government, business, and residents at risk. In many cases, these have been driven by sincere efforts to protect residents but have ended up creating risks that are far greater than the things legislators intended to guard against. States should leverage digital identity standards published by the National Institute of Standards and Technology (NIST), which typically align with the International Standards Organization (ISO) rather than create requirements for new, one-off approaches and consult with security and identity experts when crafting new policies to ensure they do not inadvertently create new mandates that make things worse.
The State Policy Blueprint builds off what we put forward in 2018 with the action plan for the Federal government to take to improve identity in America. This paper is intended to serve as a companion piece to that Blueprint – focused on the vital role that states play.
Publishing the blueprint is just the first step. Now the hard work begins of communicating and coordinating with states to help them understand the initiatives and begin rolling out new projects. We look forward to working with all stakeholders to move digital identity forward and make identity better in the U.S.
Read Next
EU’s Cyber Resilience Act Enters Into Force
New product cybersecurity requirements are coming to the EU single market after years of intense debate and negotiation in Brussels, as the European Union’s Cyber Resilience Act officially enters into force.
Through the Looking Glass: An Updated Vision for the Office of the National Cyber Director
The ONCD was established to advise the President on cybersecurity and has matured into a key component of cybersecurity policymaking. However, changes are needed to ensure the efficacy of the office, especially as it relates to other agencies.
The U.S. Data Security EO with Lee Licata and Grant Dasher (Part 2)
For the first time in the Distilling Cyber Policy podcast, Alex and Jen are re-joined by guests from earlier this season: Lee Licata, from the Department of Justice, and Grant Dasher, from CISA.