Forgot your password?
typodupeerror
United States Government Security Your Rights Online

US Gov't To Issue Secure Online IDs 205

Posted by Soulskill
from the you-can-trust-us dept.
Hugh Pickens DOT Com writes "Tom Groenfeldt reports in Forbes that the U.S. Postal Service has awarded a contract to SecureKey to implement the Federal Cloud Credential Exchange (FCXX) designed to enable individuals to securely access online services at multiple federal agencies — such as health benefits, student loan information, and retirement benefit information — without the need to use a different password or other digital identification for each service. SecureKey already operates a trusted identity service in Canada using identification keys provided by one of five participating Canadian banks. It allows Canadians to connect with 120 government programs online with no additional user names or passwords for everything from benefits queries to fishing licenses. The SecureKey program is designed to connect identity providers — such as banks, governments, healthcare organizations, and others — with consumers' favorite online services though a cloud-based broker service. The platform allows identity providers and online services to integrate once, reducing the integration and business complexity otherwise incurred in establishing many-to-many relationships."
This discussion has been archived. No new comments can be posted.

US Gov't To Issue Secure Online IDs

Comments Filter:
  • by mtrachtenberg (67780) on Wednesday August 21, 2013 @06:26PM (#44636701) Homepage

    The United States government has never had better timing! I'd sign up now, but I figure you guys have got it covered already, OK?

    • Re:Super Timing (Score:5, Insightful)

      by Jeremiah Cornelius (137) on Wednesday August 21, 2013 @06:29PM (#44636723) Homepage Journal

      Read as: "License to use the Internet".

      Pretty fucking clever. Soon, you won't be able to get a stock-quote or the latest XKCD without this thing - much less, send an email.

      • by lightknight (213164) on Wednesday August 21, 2013 @07:56PM (#44637555) Homepage

        It's cool, they're going to beta it with a key with a chip in it, but by the time the public uses it, it'll just be a barcode that they stamp on your forehead or right hand.

        Kind of looks like three sixes, but I'm sure that's just a coincidence.

        • We'll stamp a 1638 to your forehead if it comforts you in any way.

          Hey, we're flexible with our bases!

    • Re:Super Timing (Score:5, Insightful)

      by RelaxedTension (914174) on Wednesday August 21, 2013 @06:48PM (#44636905)
      The NSA wants to streamline it's work with a single foreign key...
      • Re: (Score:3, Funny)

        by Nrrqshrr (1879148)
        A single key for the Lord Obama, in the land of the NSA where the shadows lie. One Key to rule them all, one Key to find them. One Key to bring them all, and in the darkness bind them.
        • You should really make this using some kind of variable - Obama is not the first, nor the last, to want to wield this power. The Eye knows no mortal coil, but lusts for an eternity of reading your GMail and knowing what you Like.

    • This is horrible for many reasons: one login means easy access to all gov't sites to FUBAR someone's life, presents a juicy target for hackers, is "racist" (using Democrats own language about voting ID cards and how they discriminate vs poor), and with NAA buffoonery who wants to trust the US government to not use this for some nefarious reasons. It will start off with gov't sites then be mandated for all other sites akin to Facebook login. Not a fan...
  • I was all about this until I got to the Canada part, and then...oh well.
  • by rijrunner (263757) on Wednesday August 21, 2013 @06:32PM (#44636751)

    And the really wonderful thing is that they have already used your facebook password and profile as well as your google info to prefill in all your forms..

  • They already have access to the back end servers. No log in needed.

    But it won't make it harder for them either. Maybe they can bypass the FISA courts and those pesky opinions if they can just log into the accounts.

    • by AHuxley (892839)
      Re: bypass the FISA courts.
      Thats the idea of the 'cloud' vision - every system on the same network with an understanding of how to get the data out in realtime.
      Where the NSA seemed to have problems is the need for some legal domestic front cover e.g. FBI to be the name on their pipe.
      With a system like this, so many groups get legal data, the NSA will never have to wait, be dependant on one stream again.
      ie privacy will work both ways - nobody will really know who is getting the data 'out' just that the
  • by cosm (1072588) <thecosm3 AT gmail DOT com> on Wednesday August 21, 2013 @06:35PM (#44636787)
    How long until these become mandatory for all websites. Here's how I could see this going down:

    - First, all major government websites require usage of this.
    - As more and more brick-and-mortal government offices close, more and more people start using the id.
    - VISA, MasterCard, et al begin requiring these for all online banking.
    - Taxable web transactions somehow get tied by law to having to use these.
    - Soon, ISPs require you to log in with it periodically, (remember AOL internet 'sessions'?)
    - All utilities, bills and such paid online start requiring it.
    - Social networks require it for 'think of the children' safety.

    ...Tinfoil futures are a sure bet....we're losing the internet right in front of our faces.
    • by TheNarrator (200498) on Wednesday August 21, 2013 @06:54PM (#44636945)

      You just have to send your id in the bottom 64 bits of your ipv6 address to access the internet. Why make the address space so large unless you were going to stuff authentication credentials into every packet? Then they could easily just turn you off whenever necessary.

  • by PincushionMan (1312913) on Wednesday August 21, 2013 @06:35PM (#44636791)
    What a terrible acronym! How are we supposed to say FCXX anyway?

    So, I came up with a better one for them:
    Federal User Credential Keyfob (for Your Online Utopia)
    • Re: (Score:3, Funny)

      by Em Adespoton (792954)

      What a terrible acronym! How are we supposed to say FCXX anyway?

      So, I came up with a better one for them:

      Federal User Credential Keyfob (for Your Online Utopia)

      In Capitalist America, government FCXX you?

  • WTF are private organizations allowed to issue identities for? Government IDs may be a hassle, but they're the ones with the vested interest in keeping track of people. We don't permit Walmart to issue driver's licenses or passports. We already have a mess with the private CAs on the Internet. Do it once, do it right and keep a monopoly on it. IDs and currency are Government's job! If the Treasury had issued decent ecash, Bitcoin wouldn't have a market and Credit Card Companies wouldn't be adding their
  • Maybe it's just bad timing or bureaucratic paralysis or they're just trolling everyone but they have absolutely no credibility on this.

  • now the government can MORE EASILY track everything you do online!
    • by Xicor (2738029)
      i wont care about secure government ids until they start allowing online voting
      • ID may be required for everything except voting - for that it's racist.

        • by Xicor (2738029)
          how is that racist? it is a government id for all citizens? if you are now going to tell me that some races are too poor to have internet, im going to tell you that you are a racist...everyone in the country has access to internet in some form or fashion by now. you can go to a coffee shop and get free internet for gods sake
          • But those are exactly the arguments why voter id is racist. Just ask the Justice Department.

          • by Rockoon (1252108)

            if you are now going to tell me that some races are too poor to have internet, im going to tell you that you are a racist

            Lets ask the Democrats. [democrats.org] "Those without photo ID are disproportionately low-income, disabled, minority, young, and older voters."

            Would not the same argument exist for the internet, or is the internet a magical service that doesnt have disproportionate enrollment vs low-income, disabled, minority, young, and the elderly?

            • by Xicor (2738029)
              well, the internet voting would just be extra, it wouldnt be the only form of voting, at least until everyone has access to it.
              • by Rockoon (1252108)
                You already declared that everyone has access to the internet, but then again you dont put in any effort at all to be accurate when telling others how it is.
                • by Xicor (2738029)
                  well, they DO have access to internet, they just dont want to move out of certain areas to get it. there are libraries in pretty much every major city in the country
                  • by Rockoon (1252108)

                    well, they DO have access to internet, they just dont want to move out of certain areas to get it. there are libraries in pretty much every major city in the country

                    Ah, everyone has access to the internet.. as long as they are willing to move to a major city. Got it.

                    That uncomfortable feeling that you get when you continue to update this thread can be avoided right now by simply stopping. Future situations that will lead to this same uncomfortable feeling can be avoided by putting actual effort into saying accurate things.

      • I'm all for online voting!

        I always wanted to have a say in US politics!

  • by Tokolosh (1256448) on Wednesday August 21, 2013 @07:22PM (#44637241)

    This is how social security numbers started.

  • for virginity!

  • Yes. (Score:5, Insightful)

    by goodmanj (234846) on Wednesday August 21, 2013 @07:50PM (#44637527)

    Identity verification should be a core function of a national government. This can be done right: by creating an agency that does not aggregate data, and serves no other function than to confirm that you are who you say you are when you ask it to. With proper use of two-factor keys and public cryptography, this agency can make data aggregation very difficult: your bank would know you by a different ID# than your cell phone provider, and neither would need to know your name or social security number.

    It's true that a corrupt government can do identity verification very badly, turning it into a panopticon. But corporations don't have the longevity, security, or nationwide reach to be able to do the job well, and a corrupt government can simply force corporations to hand over identity data. So in the worst case scenario, identity verification by corporation is no better than by government. And having no centralized authority at all doesn't work either: the fragmentary system we use now is easy to aggregate, and its resistance to identity theft is only as strong as its weakest link -- which is typically very, very weak.

    With identity verification managed by government, we can at least use electoral pressure to hold the identity agency responsible for its actions, and fight corruption within it. If it's managed by anyone else, we have no control over it at all.

    • Whoa, whoa, whoa. Identity validation within reason. Remember, the core of this government is already outlined by its Constitution. Anything beyond what is needed to implement, to a reasonable degree, the services laid out therein, is going overboard. I.e. it's experiencing either a mid-life crisis ("Tell me I'm still pretty!") or it's experiencing some OCD ("This pencil tip could be sharper...let me get out my pencil sharpening toolkit").

      • by goodmanj (234846)

        the core of this government is already outlined by its Constitution

        I think ID verification is justified with the first line of the Constitution: "We, the people of the United States of America". Okay, so who exactly is "we"?

    • by rtb61 (674572)

      As long as it remains voluntary at alls levels. Any hint of compulsion and it's true corporate control of all individuals accessing the internet is exposed.

    • But corporations don't have the longevity, security, or nationwide reach to be able to do the job well...

      I am mostly with you, but I think someone needs to point out that:

      Corporations can and often do outlive humans.

      Corporations are often better at securing their own data than governments are theirs.

      Corporations not only have nationwide reach, many of them have an international reach.

      • by goodmanj (234846)

        Corporations can and often do outlive humans.

        True, but we'd like to maintain an identity from cradle to grave, so the longer living the better. The US Government, at least, is older than almost every corporation on the planet.

        Corporations are often better at securing their own data than governments are theirs.

        It's difficult to compare, because governments often have more valuable secrets. In cases where both government and corporations hold the same secrets (plans for military aircraft, for instance), sec

    • by AHuxley (892839)
      Think back to Australia over the past 30 years.
      http://en.wikipedia.org/wiki/Australian_Transaction_Reports_and_Analysis_Centre [wikipedia.org]
      Established in 1989 for realtime banking tracking. Every digital movement of cash (~A$10,000) was watched.
      http://en.wikipedia.org/wiki/100_point_check [wikipedia.org] again back to ~1988 for building a layers of documentary proof of identity for banking, pensions, later Subscriber Identity Modules (SIMS)...
      Reciprocal healthcare agreements between Australia and New Zealand.
      The problem I see in
    • The best you can ever really do with a piece of ID is verify that the person carrying it is the person you gave it to. That's not the same thing at all as confirmation that "you are who you say you are".

      People go on these kicks over ID thinking "if only we know who everyone is, nothing bad can happen, and we can trace it if it does". There will always be ways around the system where people can end up with multiple IDs, or where people's ID can be corrupted. Then you end up with good people with bad paper

      • by goodmanj (234846)

        The best you can ever really do with a piece of ID is verify that the person carrying it is the person you gave it to. That's not the same thing at all as confirmation that "you are who you say you are".

        This is getting a little existential, but I don't see the difference. The bank needs to verify that the person standing before them is the same as the person who deposited $500 yesterday, Visa needs to verify that the person buying these new shoes is the same as the person who's faithfully paid their bill e

        • This is getting a little existential, but I don't see the difference. The bank needs to verify that the person standing before them is the same as the person who deposited $500 yesterday, Visa needs to verify that the person buying these new shoes is the same as the person who's faithfully paid their bill every month. And when it comes down to it, that's *all* they need to know.

          Which is fine when it's just your bank trying to validate that you're the person that gave them the $500. They give you an ID, you show them the ID when you give them the money, then when you show them the ID again you get the money back. I prefer to have my bank supply the ID there.

          But the federal government has already been trying to go way beyond that with ID. HSPD-12 was a directive signed by Bush II to issue a common secure ID to all gov't employees and contractors. If you read it that's all it say

    • by istartedi (132515)

      Identity verification should be a core function of a national government

      No it shouldn't. Ideally, the government shouldn't even know who I am, although historically we've accepted that military-age men are on a register. If we decide that *anybody* is providing us a service, then I want those services to have their own ID systems. Why? Because if my Slashdot ID is compromised I look like an idiot on Slashdot. If the bank where I keep a small account for local bills is compromised, I have a hassle

      • by goodmanj (234846)

        If the bank where I keep a small account for local bills is compromised, I have a hassle with that account until it's sorted out.

        That's not what happens, though. More likely, the attackers clean out that account, then use the SS#, birthdate, mother's maiden name and address info the bank was storing to compromise your Gmail, your credit card, your mutual fund account, and worst of all your Slashdot ID. Then you spend $10,000 proving to each of these organization that you're really you. And the problems

        • then use the SS#, birthdate, mother's maiden name and address info the bank was storing to compromise your

          The federal government already lost control of that information, and more, for me and tens of thousands of others when a laptop (that should have never had that information on it) was stolen from a car in DC. I don't expect them to do a whole lot better with authentication keys.

          And what's included in that annoyingly thorough identity test at the post office? SSN, birthdate, mothers maiden name, last 3 addresses, etc. All the information that gets stolen already anyway-- so the TFA is a convenience, but i

    • Re:Yes. (Score:5, Interesting)

      by EmperorArthur (1113223) on Thursday August 22, 2013 @12:31AM (#44639633)

      Agreed. I would love it if my drivers license was a smart card. Provided that it's initialized properly so the private key never leaves the card. The corporation could then act as a gpg keyserver. If everyone had easy to use public key cryptography, I'd call that a win.

      For people who keep talking about all businesses requiring it, have you looked at how the US does SSN. For non US readers, every American citizen is assigned a number at birth, or trying to work, etc.... Congress practically shouted that this number was not to be used for anything else. Take a guess how well that worked out. Identity theft in the US basically boils down to knowing someones name and SSN. The problem is EVERYONE NEEDS YOUR SSN. Hell, a Social Security card can be used in conjunction with a drivers license to prove US citizenship. I kid you not, since most people in the US don't have passports that's what they use. The card just has a name and a number on it. It never expires. Hell, because it's normally issued at birth there isn't even a photo.

      Now, back on topic. There are quite a few ways for this electronic ID to go bad. The most obvious is if the government or corporation has copies of the private keys. If so, then the system is useless. Another is if the government logged every authentication request. That's pretty easy for them to do.

      • by goodmanj (234846)

        I agree with your list of ways this could go bad. The big challenge is keeping private keys and authentication logs out of the hands of the key agency, while still allowing the agency to revoke and replace your keys if you get mugged or forget your PIN. I think this is possible, but I'm no crypto expert.

        One thing I will say is that well-designed government agencies can have surprisingly effective legal firewalls. It's a lot easier for the cops to get your credit card statement than it is for them to get

      • by drinkypoo (153816)

        Electronic ID for use with government and only with government can reasonably be issued by government. For everything else, I'd rather generate my own key.

      • Identity theft in the US basically boils down to knowing someones name and SSN. The problem is EVERYONE NEEDS YOUR SSN. Hell, a Social Security card can be used in conjunction with a drivers license to prove US citizenship. I kid you not, since most people in the US don't have passports that's what they use.

        And fortunately everyone pretty has pretty much accepted that the SSN as ID is compromised and acts more or less accordingly. You need to at least go down to MacArthur Park and get a fake driver's license or green card in addition.

        I still laugh at people when they as for the SS card-- when I got mine decades ago it was a cheap piece of heavy paper, not difficult to forge even then, with a number and a place for my signature. It said explicitly on it something like "this is not identification". As you poi

  • ... any browser in BSD and Linux? Or will the government be forcing me to buy another computer since I want things to be secure?

  • Why can't the just tell us what the IDs that NSA already assigns us are?

  • Trying to go beyond the surrounding paranoia: I understand this to be a federated identity network, probably based on SAML. Is that right?
  • by karlandtanya (601084) on Wednesday August 21, 2013 @10:04PM (#44638731)

    http://www.gnu.org/philosophy/right-to-read.html [gnu.org]

    Once your extreme views become fact, you're no longer a crackpot.

  • In other news, HuffPo plans to ban anonymous posting, and phase in a requirement for a secure government-issued ID for all posters...
  • by Princeofcups (150855) <john@princeofcups.com> on Thursday August 22, 2013 @12:08AM (#44639519) Homepage

    So which major defense contractor has the multibillion dollar contract to implement this? I won't worry. It'll get over budget and behind schedule so fast (due to no actual work being done) that it will be axed before anywhere near completion.

  • I could not help but think....

    Three Master Keys for the Agencies under the Executive
    Seven for the Security Council in the Congress Hall
    Nine for the Justice supporting no warrants
    One for the President on his Dark Throne
    In the Land of States where Freedom dies
    One Key to Rule rule them all, One Key to silence them
    One Key to subject them all and in subjugation bind them
    In the Land of States where Freedom dies

If I have seen farther than others, it is because I was standing on the shoulders of giants. -- Isaac Newton

Working...