Anil John
Making Digital Services Secure and Trustworthy

Anil John

Dear Maryland, Will You Be Wasting My Tax Dollars on Passwords?

 Tweet  Share  Share  Comment  Print  Email

Dear State of Maryland,

I am a resident of the great state of Maryland and have some questions regarding the present and the future of the online services you provide to me.

Let us start with the big one, shall we? I was interested to note that Maryland is one of the states that have taken the bull by the horns and are planning to offer a State-based Health Insurance Exchange as part of the implementation of the Affordable Care Act. I appreciate that we are leaning forward on this to meet the unique needs of Maryland residents.

As you note on the MHBE FAQ, open enrollment will start in October 2013 and you estimate that as many as 150,000 individuals are expected to enroll this year. Also noted is that the number will increase to approximately 275,000 by 2020. Since I will be one of the people using the exchange, I have some questions:

  • Are you planning on issuing me a credential (e.g. another userid and password) to access the site?
  • Given that I will need a credential with an Identity Assurance greater than Level 1 (at least 2, possibly 3), how are you planning on identity proofing me?

If you are planning on offering me a userid and password, have you taken a look at the current state of the art on how easy it is to crack passwords and what the total cost of ownership of managing passwords is? I would especially urge you to look at the cost of a single password reset ($51 - $147 for labor alone). You are not an e-commerce or social site with regular visits, but a site someone comes to once a year. You WILL incur this cost, and since sooner or later (after the grants run out) my tax dollars will be used for this purpose, I have a vested interest in lowering that cost!

While we are on the topic of online services, I love the fact that Maryland has so many online services available to its residents. But how many of them are also using some sort of a password management function and incurring the corresponding costs? Should not the State have a plan and a strategy to use some sort of shared service infrastructure to lower the cost of identity management to itself, and improve the user experience for its residents?

May I offer a concrete suggestion on how to address this issue?

A recent, and extremely pleasant, online experience I had in interacting with the State was in renewing my driver's licence online at the Maryland MVA. My complements to the team that built the business case for that service, and put it into production.

What I found interesting about the experience is that you already have the ability to associate a PIN in the system for me. Similar to a Bank ATM Card, you now have the ability to leverage the combination of (State+DL# and PIN) as a credential for accessing State based online services. I would recommend making some tweaks to the process (that, BTW, does not impact the in-person MVA wait times):

On the identity assurance side, take a look at the Enhanced Drivers Licence (EDL) Identity Proofing Requirements. Offer the EDL as an option to residents as it potentially solves two issues for you:

  • It allows you to leverage a minimum standard for identity proofing that can be leveraged across State online services (and potentially beyond)
  • By making the EDL an option, and charging an incremental fee for it, you will cover your costs and offer a voluntary benefit to residents

It also gives people like me, who have family in Canada, the ability to use the EDL at border crossings. The combination of the border crossing benefit and online usage is extremely attractive and is something for which I would be willing to pay an incremental amount beyond the normal Driver's Licence fee.

If you have any questions, please contact me. While I have a certain professional familiarity with these types of systems, I am NOT a consultant looking to make work for myself. I am, however, a MD resident with an interest in public sector online services. As such, I would be more than happy to discuss further if you are serious about moving out in this direction.

Sincerely,

Anil John, A proud resident of Maryland

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone