Note: Verizon has earned "Level 3" certification by the U.S. government for its Universal Identity Services (UIS) identity and access management technology to protect computer networks. Verizon says it is the first identity access provider to reach Level 3 certification.

Verizon has earned "Level 3" certification by the U.S. government for its Universal Identity Services (UIS) identity and access management technology to protect computer networks. Verizon says it is the first identity access provider to reach Level 3 certification.

There are four levels of certification under the federal Identity Credential and Access Management (ICAM) program, Tracy Hulver, chief security strategist for Verizon, explained. The lowest level is Level 1, in which a user identifies him-or-herself as who they say they are and no further identification is needed. Level 2 certification matches the person's name with some identifying information such as their address or the last four digits of their Social Security Number. Level 3 adds an additional layer of vetting called second-factor authentication.

With Verizon's UIS product, a user enters their name and perhaps an ID number but then also is given an "online antecedent," Hulver said, which could be a list of questions the person has to answer in a given amount of time. For example, the person could be shown a list of addresses and be asked which of them is not an address at which they have ever lived. The vetting could include a number of such questions.

"The more questions you answer within the time frame, the higher the level of probability that you are who you say you are," Hulver said. Level 4 is the highest level of authentication and also requires a third factor such as a smart card with a biometric identifier attached to it; Hulver called Level 4 "the equivalent of a notary certification."

Level 3 certification hardens a protected Web site, database or other network asset better than conventional username and password systems that have too often been hacked, Hulver said, citing the widely read 2011 Verizon Data Breach Investigations Report, which studied incidents reported in 2010. It divided computer network attacks into two main groups, malware and hacking. Of the hacking incidents, a majority were due to "weakened credentialing," he said, such as passwords that were too easy to figure out -- like 123456 -- or server passwords that weren't set so that the default password was "password." "None of the breaches that we had investigated in 2010 involved a breach of second-factor authentication so that shows you just how strong second-factor authentication is," Hulver said.

Although there are other providers of second-factor authentication on the market, Hulver said that Verizon has an advantage in that its UIS is a cloud-based service. Because of that, a hacker would not only have to break into the target's network to get what they want, they would also have to hack into Verizon's cloud.

ICAM was established by a subcommittee co-chaired by the General Services Administration and the Department of Defense (DoD). The program is not mandated but it is intended to set a standard for various federal agencies -- the DoD, IRS, NASA, etc. -- to follow to secure their networks. Offering a uniform standard like ICAM "would get the agencies themselves out of the ID management business," Hulver said.

Verizon's certification for the Level 3 ICAM designation was granted by the Kantara Identity Trust Framework, an independent third party organization not part of the government. Verizon's UIS product and other identity management and network security services are delivered through its Terremark subsidiary following the $1.4 billion acquisition of Terremark by Verizon earlier this year.

See more on this topic by subscribing to Network Computing Pro Reports Security That Never Sleeps (subscription required).