Last fall, the National Institute of Standards and Technology (NIST) gave identity solutions provider MorphoTrust a pilot grant to create an electronic identification (eID) for citizens in North Carolina to be able to use for online transactions that would normally have to be conducted in-person at a state office. Over the next two years, MorphoTrust along with the North Carolina Departments of Transportation and Health and Human Services and their partners will receive $1.47 million to test the security, viability and interoperability of this new electronic credential.
According to Mark DiFraia, senior director, solutions strategy at MorphoTrust, the goal of the program is to essentially replicate the trust people have in drivers’ licenses as being a valid form of ID in an in-person setting and translating that to the online world.
“When we go anywhere as citizens of the U.S. to do business and we want to do an in-person transaction, we need to prove who we are. We typically provide our driver’s license and the person will take it from us, take a look at it and have some comfort level that it is a real, authentic document by the way it looks and feels and then they will look at the picture, compare it to us and come to a degree of comfort that you are who you claim to be and allow you to do about any transaction you want to do,” said DiFraia. “We lack that on the internet, so what we’re trying to do here in this project is bring that same trust along. We are creating an eID based on the trust of the driver’s license and in that process; we are linking the person all the way back to their DMV record when they applied for a driver’s license.”
To accomplish this, DiFraia said that that there are two main steps in the process of creating an eID: first, after an app is downloaded onto a mobile device, the user will scan the front and back of their state issued driver’s license using the camera on the phone, which will not only authenticate that the license is real but also extract data from the barcode on the back. Secondly, the user will be walked through, step-by-step, how to take their own photo. That packet of information will be subsequently delivered through MorphoTrust’s service back to the state DOT where it will be compared to the driver record on file.
“The combination of matching the demographic information and the photo to the one on file is creating a very real link between the individual using a mobile device and the record that DOT knows and trusts,” explained DiFraia. “When that match is successful, we will enable that electronic ID contained within the mobile device to be used for login purposes online.”
When the eID is successfully implemented, North Carolina residents who need to apply for food stamp benefits would be able to complete an application online, thus eliminating an in-person visit because they will be able to prove who they are with a degree of trust that wasn’t available previously.
DiFraia emphasized that this project will not consist of operating a big, online data warehouse where everyone’s personal information will be a stored in a “honeypot” for hackers. Rather, this information will remain in the user’s mobile device under their control.
“That way, no one is sending information about themselves around unless the user authenticates that it is appropriate to do so,” said DiFraia. “Basically, the user is in complete control at all times. The eID never gets used, can’t be searched, interrogated or otherwise used unless the user actually chooses to do so.”
In addition, DiFraia said that people have become increasingly aware that usernames and passwords are an antiquated and vulnerable form of authentication and are much more willing to use biometric identifiers today than they were in years past.
“Our solution does not rely on usernames and passwords, instead it relies on the use of the mobile device and the scanning of QR codes that are presented by participating websites or portals to enable the passing of relevant information between the mobile device and the site to authenticate the user,” he said. “We are embracing the notion of getting away from using usernames and passwords and we’re giving people more control. This is going to be a great example of how someone can use their photo biometric to protect themselves. We like to say if you are worried about data breaches and the unapproved movement of data that biometrics should be your best friend. Our app is going to be locked and it only can be unlocked when the user successfully matches their own self-photo with their mobile phone, so they can’t even open this app unless they pass that photo matching test.”
If successful, DiFraia said this pilot project is going to solve a “real world problem” for the Department of Health and Human Services in North Carolina, which could lead to the expansion of eID programs for other agencies and states throughout the U.S. Eventually, the use of eID could be expanded beyond government applications to the commercial market.
“It is the vision of our solution to do exactly that. We are starting in some very specific government use cases where residents will be applying for some level of state benefits, but there is nothing that would restrict it from being used in a commercial setting,” he said. “In our pilot, we are actually going to prove that we can interoperate with two specific commercial entities: miiCard, which today offers an electronic ID in their service, and they are going to interoperate and link with us to prove that linking to MorphoTrust eID can elevate the level of trust of an existing miiCard account. The other interoperability we’re going to prove is with a company called Toopher, which operates an authentication service. Our link there is going to demonstrate that the user can choose the authentication tool of their choice.”
