USDA eAuthentication

Owned by Larry Talley - NOAA Federal
Last updated: Sept 05, 2008Version comment

Currently, USDA eAuthentication offers eAuthentication Accounts with Level 1 Access and Accounts with Level 2 Access.

Level 1 Access is limited and does not allow you to conduct official electronic business transactions with the USDA via the internet.

An account with Level 2 Access provides the ability to conduct official electronic business transactions with the USDA via the Internet. You must have a valid email address to register for an account with Level 2 Access. You create a customer profile, User ID, password that you will remember and respond to a confirmation email within seven (7) days. In addition, you must visit the nearest USDA Service Center in person and prove your identity with a current State Driver's License, State Photo ID, US Passport or US Military ID. Approximately one hour after your Level 2 Access has been activated by the USDA Service Center employee, you will have access to USDA applications and services that require an account with Level 2 Access.

On September 3, 2008, Larry Talley and Steve Holden had a teleconference with Owen Unangst of USDA. Owen explained that the USDA e-authentication program's "levels" are based on the OMB assurance levels published in NIST 800-63: Electronic Authentication Guideline. Owen explained that the impetus for USDA e-authentication came from the Freedom to E-File Act passed in 2002. Analysis at USDA at that time documented over 3,000 separate types of interaction with the public. Of those 3,000 interactions, it was concluded that only 135 required OMB level 3 access. Based on this analysis, USDA focused initial efforts on level 1 and level 2 access.

The characteristic features of USDA levels 1 and 2 are:

Level 1: No confidence in identity - Users register themselves with no proof or evidence to confirm their identity. Registration allows users to create customized "My.agency.gov" pages, and allows the agency to recognize repeat customers. The agency doesn't know who the customer is, but, they can tell that "this is the same customer who was here yesterday". Owen reported that 20-25 of there 3,000 interactions require only level 1 access. These tend to be complex "lookups" where personalizing the page is a significant convenience to the customer.

Level 2: Significant confidence in the original identity proofing, somewhat less confidence in the custody of the credential - Applicants first register themselves for a level 1 credential. They then present government-issued photo ID to agency employees who have been trained in identification procedures. If the agency employee accepts the identification, then the customer's level 1 credential is changed to a level 2 credential. At this point there is strong confidence in the customer's identity. However, there are no controls to prevent the customer from revealing their username and password to a third party, so unique custody of the credentials cannot be guaranteed.

As of our conversation, USDA has 290 applications which subscribe to single-sign-on through their e-authentication system. These systems are distributed among the 29 line agencies within USDA. The e-authentication system has over 300,000 users, of which approximately 200,000 are citizens, and 100,000 are USDA employees. The level 1 and level 2 credentials provide single-sign-on, business level authorization through role-based access control, and e-signature. Owen reported that in the previous month there had been 1.7 million logins and 77 million authorizations. He further noted that customers responded positively to the single signon and e-signature capabilities. They do get some complaints that help desk service is not fast enough, particularly for password recovery assistance.

Owen also noted that some of the 135 interactions that were initially presumed to require level 3 access may actually be satisfied with level 2 e-authentication because they have mitigating controls elsewhere in the business process. An example given was commodity payments to farmers. In the case of these commodity payments, the relationship with the farmer is an ongoing relationship. The relationship of the farmer to the land and to a bank account has already been established through presentation of deeds checked against county land ownership records, and similar confirmation of banking information. In this case the e-authentication and e-signature involved in a transaction to claim a commodity payment does not expose the agency to significant risk because these other mitigating controls severely constrain the types of mistakes or fraud that could be achieved through the electronic transaction.

The USDA Rural Housing Authority is also considering using e-authentication to protect online statements, and they may consider different identity proofing mechanisms because the loan application process has already "identity-proofed" the borrower above and beyond examination of a photo-id.

Owen noted that they have 2,500 offices that have employees trained in identification procedures. The costs of these employees are born by the line offices, but the cost of the identification training is born by the e-authentication program. The employees who do identification are employees who would be present in these office anyway, and with the e-authentication program covering the cost of the additional training the line offices do not appear to resent the additional workload.

The cost of the e-authentication program is approximately 4.9 million per year and these costs have been stable over the prior three years. These costs are pro-rated back to the line agencies using a formula which apportions by the product of agency head-count and number of e-authentication-enabled applications. For example, the Forest Service has approximately 40% of the USDA headcount, and 10% of the e-authentication-enabled applications, so the Forest Service pays approximately 4% of the e-authentication operating costs.

Owen also mentioned that Department of the Interior has some applications using the USDA e-authentication system, and that the National Science Foundation has an e-authentication system with considerable customer acceptance.

Owen noted that the e-signature process does include some form of signing ceremony and that Document Binding, Integrity, and Audit Trails are accomplished with standard database practices.