Collaborate Disseminate
The agency sparked controversy over its decision to deploy facial recognition technology from the company to vet taxpayers’ identity.
The post A year after outcry, IRS still doesn’t offer taxpayers alternative to ID.me appeared first on CyberScoop.
Continue reading A year after outcry, IRS still doesn’t offer taxpayers alternative to ID.me
Not all paths to passwordless authentication are equal, but adopting an integrated approach can better prepare enterprises for a passwordless future.
The post Navigating the path to passwordless authentication appeared first on CyberScoop.
Continue reading Navigating the path to passwordless authentication
David Harding is the SVP & Chief Technology Officer at ImageWare Systems, Inc. Identity authentication is more important now than at any other time in history. Today’s methods such as 2-factor authentication are falling short and are not as s… Continue reading Identity Authentication, David Harding – Enterprise Security Weekly #145
Identity management is one of the most cumbersome issues in information security today. How should organizations verify that people using a banking, e-commerce or other digital service are who they say they are? Mastercard and Microsoft are banding together to try to find a universal solution, the two companies announced Monday. Current identity management schemes are onerous for end users, Microsoft and Mastercard say. Organizations and individuals have to rely on things like a Social Security number, proof of address, a username and password or something else. “We believe that there is a huge need for a universally-recognized digital identity service the puts the individual in control. Right now, proving one’s identity online places a huge burden on individuals,” Charles Walton, Mastercard’s senior vice president of digital identity products, told CyberScoop in an email. “People have to successfully remember hundreds of passwords for various identities and are increasingly being subjected […]
The post Mastercard and Microsoft say they’re developing a universal identity management solution appeared first on Cyberscoop.
Zero-trust security models are helping large organizations to protect against malicious users, including those who have already infiltrated their networks, a new report says. Government agencies will benefit from stricter security controls if they shift to a zero-trust approach, according to experts from Duo Security. Zero trust assumes from the outset that all users and data traffic are operating in an open and unsecured environment. The focus on security then shifts to giving authorized users access to designated applications and data based on their identity and to devices based on their level of trustworthiness. “Achieving Zero-Trust Security in Federal Agencies” breaks down the methods to build zero-trust practices, including continuous authentication, device assessment, user controls and application access. Continuous authentication is a user-specific approach that doesn’t rely on privacy-protected information. The security environment protects from threats by taking note of typical behaviors and then denying access when it senses off-pattern […]
The post Security controls that verify users and devices protect agencies from insider threats appeared first on Cyberscoop.
The National Institute of Standards and Technology on Monday released a much-anticipated update to its Cybersecurity Framework, which provides organizations with guidelines for implementing cybersecurity practices. Updates in Version 1.1 include refreshed guidelines on authentication and identity; cyber risk self-assessments; managing supply chain cybersecurity; and vulnerability disclosure. “This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the framework, in the release. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.” President Donald Trump issued an executive order in May 2017 directing all federal agencies to use the Cybersecurity Framework, including future versions, to manage cybersecurity risk. Beyond that, the framework also serves as reference point for the private sector. “First, business leaders and policymakers view the Framework as a pillar for managing enterprise […]
The post NIST releases updated cybersecurity framework appeared first on Cyberscoop.
Continue reading NIST releases updated cybersecurity framework
A new White House memo tasks agencies with clamping down on identity security by designating a team of officials from the offices of the chief information officer and chief security officer, among others, to tackle the issue. The Office of Management and Budget draft policy released Friday asks these officials to coordinate regularly to make sure federal Identity, Credential, and Access Management (ICAM) policies are consistently implemented. The proliferation of personal information through social media and data breaches makes verifying identities all the more important for agencies, OMB said. ICAM – a set of measures to prevent unauthorized access to sensitive information – is a staple of cybersecurity, and federal agencies have had to adapt to evolving identity scams from hackers. ICAM took on added importance in the U.S. government after the devastating 2015 Office of Personnel Management breach, in which hackers used compromised credentials to steal information on 22 million […]
The post White House seeks to tighten identity management in federal agencies appeared first on Cyberscoop.
Continue reading White House seeks to tighten identity management in federal agencies
Researchers at Florida International University have designed an app for Android phones that allows users to replace passwords with a photograph of an everyday object they own, like a watch, shoe or piece of jewelry. The app, known as Pixie, is a “proof-of-concept” that shows how two-factor identification — something more than just a password — can be implemented without special hardware or biometrics. It was described by the researchers in an article in the peer-reviewed journal of the Association of Computing Machinery. It works like this: The user takes a picture or pictures of some object they carry with them — the researchers call this object the “trinket.” These pictures form what’s called the reference image — the picture that the submitted image has to match for the user to successfully prove who they are. The user can then prove their identity and access an account by submitting another picture of the […]
The post Forget your fingerprint: New concept lets people pick their own two-factor token appeared first on Cyberscoop.
Continue reading Forget your fingerprint: New concept lets people pick their own two-factor token
For the first time, Americans will have the option to use a cryptographically secure USB keystick to protect their online accounts on federal government websites. Owners of online accounts protected by identity-proofing start up ID.me will be able to use keysticks conforming to the Universal Second Factor, or U2F, standard promulgated by the Fast IDentity Online, or FIDO Alliance, ID.me announced Tuesday. The option will be available to users alongside existing two-factor services, such as a code sent by SMS text message, or a call to a landline, the company said. It’s the first time U2F keysticks — considered a gold-standard protection against phishing and other forms of online identity theft — have been available to the users of federal online services. ID.me did not disclose the three federal agencies it said were buying the company’s identity proofing services — but it has in the past done very public work to provide veterans secure […]
The post Some federal websites now allowing users to login via secure USB keys appeared first on Cyberscoop.
Continue reading Some federal websites now allowing users to login via secure USB keys
TaxSlayer, a tax preparation company hacked by a ring of identity thieves in 2015, has agreed to settle a Federal Trade Commission complaint about its cybersecurity and data privacy practices — consenting to adopt a new security program and pay for third-party audits of its services. “Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards,” said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection in a statement. “TaxSlayer didn’t have an adequate risk assessment plan.” The FTC announced the settlement in a statement Tuesday, saying the company was in violation of the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement security safeguards to protect customers’ personal information; and its Privacy Rule, which requires financial institutions to tell customers about their privacy practices — the widely ignored “privacy notices” that they distribute. There is no direct financial penalty, but the company has to bear the […]
The post Tax prep firm reaches settlement with FTC over cybersecurity lapses appeared first on Cyberscoop.
Continue reading Tax prep firm reaches settlement with FTC over cybersecurity lapses