by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : January 2013
A team led by Criterion Systems, ID Da- taweb and Google will be launching four pilots with participants including the Homeland Security Department, with an eye toward rolling out a commercial, open-source ID verification network in the coming year. "Our pilot is predominately testing a business model," said David Coxe, cofounder of Criterion and CEO of ID Dataweb. The technology already is in place; the pilot will tie it together for commercialization. The ID Dataweb Attribute Exchange Network leverages existing online relationships between end users and organizations, providing a gateway that will allow multiple relying parties to verify a user's identity by referring to the authoritative sources. Attributes used to verify an identity could range from a name, birthday or phone number, to Social Security Number, biometric identifiers and digital credentials from government CAC and PIV cards. The program began when Google hired Criterion and ID Dataweb to design open source software to sup- port cloud-based Web services based on emerging standards including OAuth, OpenID and SAML, and to build out a network of endpoints to using the software. The result was the Attribute Exchange Network. Relying parties will sign up to use the network, and providers of verification will register to provide services. Relying parties decide what identity attributes must be verified for authentication. Veri- fication is returned without exposing the data it is based on. Google's target was to build out a system that would support 100 million users. The NSTIC grant will fund four 50,000-user pilot programs in the retail, financial services and government sec- tors that will use the Attribute Exchange Network to verify open ID credentials. The pilots will be: • A first responder ecosystem for DHS • A consortium of broker-dealers for Broadridge Financial Solutions • eBay • General Electric The first 50,000 users opting to use open ID credentials for these accounts will go into the pilot program. Authen- tication could include multiple fac- tors, such as a phone number verified through billing records, so that a one- time PIN for access could be sent to that phone. Participants in the Criterion pilots include ID Dataweb, AOL Corp., Lexis- Nexis, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, Paci- ficEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc. Daon Solutions will lead five pilot pro- grams with partners to expand the use of the IdentityX authentication platform, which uses mobile devices to provide risk-based authentication. "Phones are not considered high secu- rity hardware tokens," said Catherine Til- ton, Daon's NSTIC program manager. But using mobile devices such as phones and tablets to deliver multi-factor authentica- tion could raise the level of assurance and enable transactions requiring higher levels of trust. At the lowest levels of trust, a software certificate loaded on a mobile device could be used with a password or PIN to authenticate the user. When higher levels are required, additional challenges could be added such as voice or facial biomet- rics, geo-location data gathered from the device, and the use of the device to deliver a one-time password. "It is the re- lying party that maps the transaction to the authentication factors," Tilton said. Because the phone is an untrusted platform it is used only for collection and delivery of data, and authentica- tion takes place on the IdentityX server, hosted by the relying party. When the user initiates a transaction the applica- tion sends the authentication request to the server, which sends the appropriate challenge to the mobile device over a secure channel using the Transport Layer Security protocol. The device sends the requested information to the server, and if it is verified the user is authenticated for the application. The technology now is being used in small, single-user pilots, Tilton said. The NSTIC grant will allow its expansion to larger programs, the first of which is expected to begin in May. Participating in the pilots as relying parties are the American Association of Retired Persons, PayPal, Purdue University, the American Association of Airport Executives, and a major bank. Purdue will play a dual role, both as a relying party in a pilot and pro- viding research for the project on usabil- ity, accessibility, privacy, performance, and user acceptance, both in laboratory and real-world environments. Resilient will be working with 17 partners to conduct two pilot programs enabling remote access to health care information and educational resources. Authentication for access will be over a Trust Network that uses cryptography to hide personally identifiable information and neutral brokers to access and verify it. "We assume there is a lack of trust," 18 GCN JANUARY 2013 • GCN.COM TRUSTED ID Project Goal: Multi-factor mobile authentication Project Manager: Daon Solutions Grant: $1,821,520 Project Goal: Data encryption with broker verification Project Manager: Resilient Grant: $1,999,371 Project Goal: Commercial, open- source ID verification network Project Manager: Criterion Systems Grant: $1,977,732