Can the U.S. Postal Service find a future running a gov't cloud-based authentication service?

Can the U.S. Postal Service (USPS) find a new future running a cloud-based authentication service for the government? The USPS intends to try and do just that under a three-year $15.12 million contract awarded to SecureKey Technologies today for some foundation technology to build a cloud-based authentication exchange.

[MORE:7 IT security skills certifications on the rise

While in the early stages, the USPS-managed Federal Cloud Credential Exchange (FCCX), as it's being called, is envisioned as a way that people can use their existing online credentials to gain access to U.S. government agency online services in the future.

What third-party credentials would be used as part of FCCX is not yet decided, but ideas in play include credentials that users already have with the likes of Google and PayPal, for example, says Andre Boysen, executive vice president for marketing at SecureKey. It's anticipated these credentials would be of various strengths and types, from simple names and passwords to the government-designed Personal Identity Verification cards.

The RFP for the FCCX contract was originally put out for bid last January and the award today to Toronto-based SecureKey means that the USPS will be proceeding with its plans to try and operate a cloud-based authentication exchange for the government.USPS spokeswoman Darleen Reid-DeMeo said USPS is "implementing a pilot software solution to enable the public to use commercially issued digital credentials to access government services online with greater security, privacy and efficiency."

Many details, however, need to be ironed out as what would be the nation's first-of-its-kind authentication service to federal government in the U.S.

"Participants have not been finalized at this time," says Reid-DeMeo. "However, some of the agencies that have been assisting in developing the requirements for the pilot are the Veterans Administration, the Department of Education, the Social Security Administration and the Internal Revenue Service." It's anticipated that the FCCX pilot project would begin this fall.

The USPS pilot project for a cloud-based exchange is one of several experimental approaches to online access to government services envisioned under the Obama Administration's  National Strategies for Trusted Identities in Cyberspace (NSTIC) program.

The NSTIC program seeks to find new ways to reduce password use online for security reasons or to facilitate novel ways to facilitate government services in the future. Reid-DeMeo says the FCCX pilot project is being led by the White House Office of the Federal Chief Information Officer.

The FCCX project basically involves the USPS setting up a kind of credential-brokerage service using SecureKey's federated authentication platform. It's hoped that FCCX will work behind the scenes so when users go to a government agency's online service, they can enter a credential they already have that was not necessarily issued by the government to get access rather than having to go ask for a credential from the agency itself.

This all suggests a close level of trust and cooperation between all the participants involved, including the government agency, the USPS, and any third-party credential provider. While this kind of authentication brokering hasn't been done yet in the U.S. for government, something similar has been shown to work in Canada.

A cloud-based authentication brokerage system, with technology provided by SecureKey, has been operated by the Canadian government  for well over a year for use by the Canadian Treasury Board and other Canadian agencies.

According to SecureKey's Boysen, the Canadian credentials exchange now processes over 1 million transactions per month with users entering banking credentials they already have from the Bank of Montreal and TD Bank, for example. The Canadian system has the government's cloud-based credentials exchange service doing a quick online authentication verification with the participating banks concerning the user's credentials before allowing the user into the government online service.

The idea behind it is that users interact frequently with their banks online but infrequently with government services. Thus, they remember their online banking credentials while they are more likely to forget credentials they only use a few times a year for a government service.

It will be some time before it's clear exactly how the USPS-run FCCX might work, but it could give the country's beleaguered mail-delivery service, a new mission. But it might also prove unworkable and fade away after a year of a FCCX pilot cloud project, too.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityCloudendpoint securitypaypalWide Area Networkgovernmentcloud computingindustry verticalsU.S. Postal ServiceinternetGoogle

More about GoogleIDGInternal Revenue ServicePayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts