DMV driving Virginia's next-gen identity system

DMV driving Virginia's next-gen identity system

Summary: The Commonwealth may well be proving that a national effort to build an identity layer for the internet has the tools it needs to meet the challenge.

SHARE:
2

The Virginia Department of Motor Vehicle (DMV) is crushing every cliché ever uttered about a DMV by quietly becoming one of the most cutting-edge and strategic government agencies in the state, and perhaps the country.

The DMV has entered the implementation stage of a multi-year identity management plan that starts with sharing authentication data across agencies so that citizens can log in once and access services across many agencies.

The system allows those users to gain qualifying attributes along the way, such as validation of enrollment, depending on the agencies they visit and the services they are seeking.

The goal is to improve service, reduce fraud, and save enough money to cover the cost of the improvements and more.

With the DMV, the Commonwealth is starting where a deep well of identity data has already been collected, vetted, and stored, including core attributes such as name, date of birth, social security number, and gender.

"We look at the data that is in the DMVs across all states," said Dave Burhop, deputy commissioner and CIO of the Virginia DMV. "It is really golden; a golden record. And it is those data attributes, which are really trusted in the physical credential [drivers license], that we want to use in the virtual world."

The plan centers around something called the Commonwealth Authentication Service (CAS). That is the anchor for providing identity attributes on an enterprise scale, and for supplying an ID service to other Commonwealth agencies so they can stop issuing credentials and instead focus on their services.

At its full implementation, CAS will offer NIST Level of Assurance 1-3 compliant credentials that are interoperable with Level 4. These industry-defined levels describe how the identity was registered, how the user authenticates, and if the credential meets the needs of the Web site considering the authentication request.

Also, CAS will support the enterprise identity service, identity proofing, multifactor authentication, and identity binding.

The DMV's ID odyssey started about eight years ago with a whitepaper on the status of the state's identity and access management capabilities, and how single sign-on could benefit citizens dealing with the government.

But the business case wasn't crystal clear and the idea failed to win endorsements.

The idea was revived with the Federal Affordable Care Act in 2010, and then energized the next year with the introduction of the National Strategy for Trusted Identities in Cyberspace (NSTIC).

In fact, the Virginia DMV efforts are a focal point of a $1.6 million NSTIC grant given to the American Association of Motor Vehicle Administrators (AAMVA) in September 2012 to work on a pilot.

In addition, the program is targeted at gluing together state agencies, along with the Virginia Personal Identity Verification program for federal employees and contractors. And in alignment with the standards-based principles of NSTIC, the program will help support a trust framework with AAMVA, integration with other states via the State Identity and Credential Access Management (SICAM) architecture, and with agencies in Canada.

"We now have a business problem and a business case," said Burhop.

Today, citizens who get services from the Virginia Department of Social Services (DSS) can go through CAS to self-enroll and create accounts, a Level 1 credential. The DMV is currently installing identity vetting and binding capabilities that validate citizen IDs and the services available to those citizens, and allow bi-directional sharing of information (Level 2). The next move is to multi-factor authentication support for Level 3 credentials.

While DSS is the first online, other agencies will follow shortly.

"What we are doing is taking the burden of identity management off the agency's plate," said Michael Farnsworth, the CAS project manager. "[That burden] is someone having to understand the complexity of issuing, maintaining, and revoking a credential. This allows us to do everything in a more streamlined fashion."

Through the process, Farnsworth said that one focus has been on ensuring this project does not come off as a "Big Brother Syndrome".

"We built privacy in from the start," he said.

And, Farnsworth added, the benefit for the industry is that other governments or companies trying similar feats of single sign-on, cross-domain trust and integration are not alone.

"And the second thing is proving that it can actually be done," said Farnsworth. "We have had great success."

Topics: Security, Cloud, Networking

About

John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • This is Virginia we're talking about

    That they rely on defense contractors for their systems means that whatever they come up will be expensive crap. Take the DMV CSI Systems thingy: it started back around 2007 with defense contractor SAIC, and then another big defense contractor Accenture took over in in 2010, but was then fired from the project the next year in 2011. The state then took the project in-house. So basically the odds of this being anything more than some already obsolete, grossly overpriced, kludgy mess is somewhere between nada and squat. Also Virginia is one of states that pass a Voter ID law in the face of zero evidence to justify it, so we're not exactly dealing with the brightest state in the land.
    JustCallMeBC
  • Whole system login ain't new

    Bank of America already has something like this. A customer can log in and check any account in any division or subsidiary of that bank. Been there for several years and it works great. And, it's alert system will send a message (email or/and text) if anything changes or when certain types of activity occur.
    320vu50@...