Dear Maryland, Will You Be Wasting My Tax Dollars on Passwords?

Dear State of Maryland,

I am a resident of the great state of Maryland and have some questions regarding the present and the future of the online services you provide to me.

Let us start with the big one, shall we? I was interested to note that Maryland is one of the states that have taken the bull by the horns and are planning to offer a State-based Health Insurance Exchange as part of the implementation of the Affordable Care Act. I appreciate that we are leaning forward on this to meet the unique needs of Maryland residents.

As you note on the MHBE FAQ, open enrollment will start in October 2013 and you estimate that as many as 150,000 individuals are expected to enroll this year. Also noted is that the number will increase to approximately 275,000 by 2020. Since I will be one of the people using the exchange, I have some questions:

• Are you planning on issuing me a credential (e.g. another userid and password) to access the site?
• Given that I will need a credential with an Identity Assurance greater than Level 1 (at least 2, possibly 3), how are you planning on identity proofing me?

If you are planning on offering me a userid and password, have you taken a look at the current state of the art on how easy it is to crack passwords and what the total cost of ownership of managing passwords is? I would especially urge you to look at the cost of a single password reset ($51 - $147 for labor alone). You are not an e-commerce or social site with regular visits, but a site someone comes to once a year. You WILL incur this cost, and since sooner or later (after the grants run out) my tax dollars will be used for this purpose, I have a vested interest in lowering that cost!

While we are on the topic of online services, I love the fact that Maryland has so many online services available to its residents. But how many of them are also using some sort of a password management function and incurring the corresponding costs? Should not the State have a plan and a strategy to use some sort of shared service infrastructure to lower the cost of identity management to itself, and improve the user experience for its residents?

May I offer a concrete suggestion on how to address this issue?

A recent, and extremely pleasant, online experience I had in interacting with the State was in renewing my driver's licence online at the Maryland MVA. My complements to the team that built the business case for that service, and put it into production.

What I found interesting about the experience is that you already have the ability to associate a PIN in the system for me. Similar to a Bank ATM Card, you now have the ability to leverage the combination of (State+DL# and PIN) as a credential for accessing State based online services. I would recommend making some tweaks to the process (that, BTW, does not impact the in-person MVA wait times):

• Build a business case for a MD State Resident Identity Provider that leverages the MVA system, and offer that as a shared service to all state online service providers
• Increase the PIN length to 6 digits and randomly generate it in the system. This allows you to increase the Token Assurance to Level 2
• If, with a resident's permission, you collect a SMS capable phone number, securely associate it with the MVA record, and implement the capability to send a SMS message as a second factor during authentication, the combination of the random 6 digit PIN (something you know) and the SMS message to the phone (something you have) will get you to a Token Assurance Level of 3

On the identity assurance side, take a look at the Enhanced Drivers Licence (EDL) Identity Proofing Requirements. Offer the EDL as an option to residents as it potentially solves two issues for you:

• It allows you to leverage a minimum standard for identity proofing that can be leveraged across State online services (and potentially beyond)
• By making the EDL an option, and charging an incremental fee for it, you will cover your costs and offer a voluntary benefit to residents

It also gives people like me, who have family in Canada, the ability to use the EDL at border crossings. The combination of the border crossing benefit and online usage is extremely attractive and is something for which I would be willing to pay an incremental amount beyond the normal Driver's Licence fee.

If you have any questions, please contact me. While I have a certain professional familiarity with these types of systems, I am NOT a consultant looking to make work for myself. I am, however, a MD resident with an interest in public sector online services. As such, I would be more than happy to discuss further if you are serious about moving out in this direction.

Sincerely,

Anil John, A proud resident of Maryland

RELATED INFO

• Maryland Health Benefit Exchange (MHBE)
• MHBE FAQ
• Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
• The Password Problem: An Infographic View
• Maryland Online Services Directory
• Maryland Motor Vehicle Administration
• NIST SP-800-63-1 Multi-Token Assurance Level Matrix
• What is the Value of an Assertion of Identity at LOA 1?