Universal 2nd Factor for Government Services

In August, 2016, NIST awarded Yubico a $2.27M grant in cooperation with the National Strategy for Trusted Identities in Cyberspace (NSTIC). This pilot project will represent the first adoption of FIDO U2F strong authentication for authenticated access to government services in the United States. It will combine the privacy, security, usability, and interoperability benefits of U2F authentication with an identity proofing solution geared specifically for the US market. We plan to deliver a common solution that will be used by the State of Colorado and the School District of Janesville (Wisconsin).

About the Pilot Participants

  • State of Colorado
    Both employees as well as residents will be accessing State of Colorado resources. State employees will be using YubiKeys to access the internal website, while both employees and residents will be accessing the external state web portal.
  • School District of Janesville
    K-12 students, teachers, and IT staff will be accessing internal resources. Students and teachers who will be using YubiKeys to access online tests, curricula, and study materials.

Each pilot participant will have their identity “proven” prior to receiving YubiKeys — either by using a mobile application or with in-person verification. YubiKeys are then “registered” to the site at the State or School District, and the participant can then use the keys during their normal day-to-day activities.

We will be starting the roll out to the first participants in Q1 of 2017.

Using Open Standards

In both states, Yubico will deploy FIDO Alliance Universal 2nd Second Factor (U2F)-based YubiKeys and use the OpenID Connect protocol to develop an “identity toolkit” – with the goal of making the solution simple to deploy and use. 

FIDO U2F is an open authentication standard, enabling public key cryptography to secure transactions and prevent phishing attacks that allow hackers to steal a user’s credentials. OpenID Connect, also an open standard, allows all types of clients, including browser-based and native mobile apps, to support sign-in flows and receive verifiable claims about the identity of signed-in users.