Coming back to the Latin root of the word idem meaning the same; at its base, identity is knowing a person is the same person over time (i.e., continuity) and distinct from someone else (i.e., contrast). But what do we need to know about a person in order to establish their identity? Unsurprisingly, the answer is the cliché “It depends.”

Consider a person’s identity as a parent. There is very little an infant, toddler or child need to be able to identify who their mama or papa is. They won’t even know their name for quite some time, but they will be able to recognize who that individual is. Before you think “Well that really only applies when early in life”, consider when that parent is out with a group of friends, and has just met someone. Typically, the parent just needs to say their name to recognize them as a unique individual the next time they  are out with that same group.

When that group then goes out to a bar to celebrate 6 months of parenthood, someone has to present a credit card with their name to start a tab. Then round after round, that person just needs to indicate that same name to the bartender to get additional drinks over the course of the night. The next day, that same person decides they want to open a new 529 account at a bank for their child’s education. They would need to present more than a credit card; they would need to present a photo ID as well as their SSN. Now, if that same person were to try to get a mortgage to buy a new home for their growing family, they would also need to present a significant amount of additional information regarding their credit history.

It turns out that person is a senior researcher in infectious diseases. When they need to enter a secure, level 5 containment facility at the CDC, they have to present their fingerprint in order to assert who they are.

This brief vignette was centered around the same individual; yet they experienced increasing friction, having to present an escalating number of items to assert their identity. That increase in friction is proportional to the increasing risk of loss when an identity is incorrectly asserted. The risk to a financial institution, for example, is much lower when the person is bringing money in for a 529 account compared to when they are taking money out for a mortgage.

Identity in the Digital Age—Cyber Threats, Data Breaches and Fraud

Now consider identity in today’s digital age, with the increasing prevalence of cyber threats, data breaches, and fraud; it’s crucial to have strong security measures in place to protect sensitive data and resources. Fraudulent actors took advantage of government aid made available during the pandemic, especially aid being disbursed via outdated, legacy systems. The GAO released a report on unemployment insurance (UI) in February 2023. That report estimated that $60 billion worth of fraud occurred when Congress created four new UI programs to support workers during the pandemic.

In June 2022, the Office of Management and Budget issued a memo on the federal government’s Zero Trust Architecture (ZTA) strategy supporting the Executive Order on Increasing the Nation’s Cybersecurity. One of the pillars of ZTA is to strengthen Identity and Access Management (IAM). IAM is a set of policies, processes, and technologies that helps organizations. By using IAM, organizations can ensure that only authorized users have access to their systems and data, and that access is granted according to the principle of least privilege, which means that users are granted only the access they need. The Department of Veterans Affairs, via the Technology Modernization Fund, is strengthening security by making an investment to strengthen identity verification and authentication.

Identity for All—The Give and Take between Security and Equitable Access

However, risk comes in many forms; not just security. Each federal agency delivers services in some form to its constituents. The risk of making those services inaccessible in pursuit of security is real. The Executive Orders on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government highlights the need for the federal government to improve service delivery of benefits to users. 

A balance must be struck between security and access. Controls meant to increase the security of a system can have the unintended consequence of creating insurmountable barriers for legitimate users. On the other hand, lack of security controls may lead to fraudulent actors stealing benefits away from those same legitimate users. The Executive Order on Further Advancing Racial Equity and Support for Underserved Communities Through The Federal Government shines a spotlight on historically marginalized communities. These communities are those disproportionately adversely affected by both those security controls as well as most likely targeted by fraudulent schemes.

Embedding  adequate security controls while  managing equitable access to services is as important as it is a challenge. The Paycheck Protection Program, enacted at the height of the pandemic to protect small businesses and its employees, suffered significant losses due to fraud as it was attempting to ensure relief was readily accessible during the global emergency.

Maintaining Access for Millions of Veterans

“They are basically saying <an identity provider> gives you more security, but I don’t know how true that is because I can’t get in to use it.” – Veteran

The VA supports millions of Veterans and has to manage the risk of Veterans having difficulty accessing services while increasing security. Not only do these risks carry financial implications, but may have life and death implications as well. When applying for services, a Veteran has to confirm their identity as one of the earliest steps in the process. As the VA migrates to a more modern identity credential with strong authentication protection to increase security, so does the friction for a Veteran. Whereas before, they may have been able to assert their identity by answering a few questions about themselves; in order to meet higher identity assurance levels, they would now need to present a government issued ID. While presenting identification is definitely a stronger security control; every Veteran has an identity, but not every Veteran has identification. In particular, data shows that marginalized communities are those most likely not to have government issued IDs. Take, for instance, the context of the unhoused. VA has been able to reduce Veteran homelessness by 55% since 2010, but curtailing Veteran homelessness remains a strategic priority for the VA. Someone who is unhoused experiences significant barriers when securing identification. This shows how VA needs to consider diverse strategies as it is balancing trust and access as it modernizes identity credentials that will increase protections for Veterans,.

MO has been collaborating with VA on modernizing its identity credential, taking a Veteran-journey-led approach to our work. We started with an in-depth discovery where we met with Veterans in person to understand their experiences with account access and identity. This discovery yielded a service blueprint – a visual summary of the interactions and what is and needs to be in place to enable a successful and meaningful engagement – that shed light on the pain points and confusion Veterans face when interacting digitally with the VA.

That discovery has informed priorities that Identity Teams at VA are currently working on:

• Establishing paths for Veterans to migrate to a stronger credential while maintaining access to services;
• Creating additional channels, such as complementing digital interactions with interactions in-person, for Veterans to assert their identity;
• Providing strong communications and support for Veterans as VA launches these new capabilities and changes the current ways of doing.

As our MO team tackles these challenges of establishing identity for millions of Veterans, we are mindful that it is an early step in a Veteran’s long journey to access services. We are most effective if Veterans can securely assert their identity and quickly move on to the next step in their journey –with the end goal of securing access to services for themselves and their families.