Desired SSA shift to more online service delivery may require changes in policy or new technologies for identity proofing and authentication

The Social Security Administration (SSA), citing an increased volume of claims and requests for its services, is evaluating ways to conduct more of its transactions online. Before making such a move SSA needs first to establish capabilities to remotely verify the identities of individuals requesting SSA services, something it lacks the technical ability to do now. In addition to finding and implementing appropriate enabling technology, SSA and other government agencies are constrained to some extent by their own policies and determinations of the significance of the transactions in question and sensitivity of the data involved in those transactions. Federal agencies are obligated to assess the authentication requirements of all online transactional systems that offer remote access, as instructed in a memorandum issued by OMB in 2004 under authority of the Government Paperwork Elimination Act (GPEA) and the E-Government Act of 2002. The relevant provisions in these laws actually address the use and legal equivalence of electronic signatures, but a key prerequisite for accepting electronic signatures is verifying the identity of the signer, so subsequent guidance to agencies focused on ways to initially prove the identity of and then authenticate remote users of government information systems. Agencies were further instructed to conduct an “e-authentication assessment” for their information systems, rating them according to a four-level scale introduced in the OMB memo and described in detail in NIST Special Publication 800-63, Electronic Authentication Guideline.

As you move up the e-authentication assurance levels from 1 (little or no confidence) to 4 (very high confidence) with respect to the validity of the identity asserted by a remote user, the requirements go up for initial identity proofing and for the strength of credentials presented by the user for authentication. At e-authentication level 4, there is no provision for remote identity proofing, as level 4 requires that identity proofing be done in person. A transaction assessed at e-authentication level 4 is therefore not feasible for fully online operation. This is precisely the situation that SSA finds itself in now, as some of its most sensitive (and frequently requested) transactions such as the replacement of a social security card currently require the presentation of physical, hard copy documentation to prove identity. To try to overcome some of these constraints SSA is experimenting with using video technology as an alternative to physical presence in a social security office (although remotely conducted services using video would still require the individual to appear in a government location such as administrative courts), but the need to inspect hard copies of documents provided as proof of identity is likely to be harder to overcome. This situation could be improved to some degree by advances in technology associated with government-issued credentials, such as driver’s licenses and passports, now accepted as proof of identity, although many legitimate concerns about fraud, identity theft, and impersonation persist even with smart cards and other mechanisms used in some contexts to bind authentication credentials to identity.