1. What is authentication?
Authentication defines the level of trust or trustworthiness of the parties involved in a transaction - it is the process of determining the certainty that someone really is who they claim to be.
2. What is an electronic credential?
An electronic credential binds an individual to a technology such as PINS, PKI certificates and smartcards, creating an electronic identity. The types of electronic credentials E-Authentication will accept are PINS, passwords and PKI-based credentials.
3. What is meant by "level of authentication?"
The level of authentication of an electronic credential is the degree of confidence in the binding of the identity to the credential issued. The processes and controls employed in the operation of the credential service provider (CSP) and the methods used to protect the subscriber's information determine the assurance level.
Some business transactions need to know exactly who you are while others don't. Since the E-Authentication Initiative supports all E-Gov transactions, it must support multiple levels of assurance.
4. Do agencies select their own authentication level and technology?
Application Owners determine via Risk Analysis the strength of identity authentication their application calls for. The level of risk corresponds to one of the four authentication levels essentially ranging from low to very strong. Analyzing the results of the Risk Analysis against assurance level policy guidance provided by OMB and technology mapping guidance developed by NIST, the Application Owner, with assistance from the e-Authentication team determines and selects the appropriate authentication level and associated technology.
5. Who is responsible for issuing electronic credentials to agency application users?
An approved credential service provider (CSP) can issue electronic credentials. The E-Authentication Initiative will review the policies and procedures used by the CSP to determine if they may provide credentials for use with E-Authentication, and, if so, at what level of assurance.
6. What entity approves credential service providers (CSPs)?
The E-Authentication Initiative will empower a multi-agency credential assessment team to review policies and security and business practices from each entity requesting to become a CSP. If the CSP is approved, this team will determine what level of assurance the credential in question satisfies.
7. How many credentials can a user have?
A user can have credentials at different levels, and they may also have multiple credentials at the same level.
One of the major goals of E-Authentication is to support single-sign on. Once a user presents an electronic credential for use they will be allowed to conduct business with all applications at that level or any lower level. To conduct business with applications that require a higher level of authentication, the user will have to re-login and provide a credential that satisfies that required level.
8. How does a user get a credential?
When you access a particular application, if authentication is required, you will be asked to provide the appropriate credential to gain access to that application. If you do not already have a credential that is acceptable to the application, there will be a list of links to authorized CSPs from whom you may obtain the necessary credential.
9. How do credentials work?
An application user is assigned a credential appropriate for the authentication level associated with the transaction the user wishes to perform. Credentials are downwardly compatible. This means that a user with a Level 3 credential can use that credential to access a Level 2 application. However, someone with a Level 2 credential cannot use it to perform a Level 3 or 4 application. In such a case, the user will have to obtain a higher-level credential.
10. What types of applications are suited for e-Authentication?
E-Authentication is being developed to support all E-Gov applications, especially those involving the transmission of any sensitive or personal information.
11. How does a user access an agency application?
A user can access an agency application three ways:
· Via a Portal such as FirstGov, as a set of web links
· Via the FirstGov Portal as a "proxy" login for agency applications
· Directly via the agency URL
12. What happens if a user attempts to access an agency application but does not have the proper electronic credential?
If a user does not have the proper credential, he will be provided a list of links to authorized CSPs from whom he may obtain the necessary credential.
13. Why should an agency application use E-Authentication to authenticate users of its online services?
E-Authentication provides a uniform set of policies and technologies developed to ensure appropriate authentication of users for all electronic transactions with the Government, allowing agencies to focus on their core lines of business. By using E-Authentication, agencies save human and financial resources that would otherwise be tied up creating redundant authentication solutions.
14. Will E-Authentication collect user information?
E-Authentication does not collect information on the user.
15. Will the E-Authentication track sites that the user has visited?
No. E-Authentication's function is to validate credentials. It does not store information about a user.