Identity management is the way organizations control access to resources to ensure that the right individuals have access to the right resources at the right time, and it is a key pillar of zero trust architecture. In a zero trust system, a user has to validate and verify their identity continually as they access data and systems. But to function well, this process has to be seamless for the end user. Traditional security measures dependent on passwords cannot scale to meet the needs of zero trust--imagine how time-consuming and frustrating it would be to continually enter a password every time you move to a new application or data set. Fortunately, there are several approaches organizations can use to achieve high levels of both security and useability.
FIDO
Fast identity online (FIDO) is an authentication standard designed to improve security and convenience in identity management by eliminating reliance on traditional passwords. Strong authentication is achieved by using biometrics (such as fingerprints or facial recognition), security keys, or PINs stored on a local device.
The passwordless nature of this approach both eases the burden on users and is resistant to phishing. It also can be used to achieve passwordless single sign on (SSO) to eliminate the need to log in multiple times while navigating across applications.
SAML
Security assertion markup language (SAML) is an open standard that allows users to access multiple web applications using one set of login credentials--achieving SSO. It enables the exchanging of authentication and authorization data between an identity provider (IdP) and a service provider (SP).
With SAML, an authentication request is sent to the IdP (a third party like Okata or Google Workspace). The user logs on through the IdP, then that provider generates an SAML assertion (a secure XML document) containing authentication details and user attributes. This document is digitally signed to prevent tampering and sent back to the SP. The application being accessed verifies the assertion and no further log in is needed. This approach provides strong authentication for enterprise applications and eliminates password re-use across services.
OAuth
OAuth, which stands for "open authorization," relies on the use of "tokens" rather than passwords alone. This standard is focused on authorization (granting access to resources) rather than authentication (verifying identity) like FIDO and SAML. A familiar use of this approach is the "sign in with Google/Facebook" options on websites. With OAuth, the user requests access to an app, and then the app directs the request to an authentication server (e.g., Google, Facebook, or Microsoft) to get consent. The user then logs into that authentication server and approves the permission so that a temporary authorization code can be sent back to the original app. OAuth is an efficient way to enable third party integrations.
To explore how agencies are utilizing these and other approaches to identity management, check out these resources:
- Gov Identity Summit 2025 (March 5, 2025; Washington, DC) - This event gathers leaders, innovators and peers in identity and access management focused on enhancing our nation's cyber resilience and constituent services. Sessions will discuss modern approaches to identity management, including zero trust and driving frictionless digital experiences for your various stakeholders.
- CyberScape Summit (April 3, 2025; Bethesda, MD) - This event will explore key priorities in cybersecurity and how to stay ahead of evolving challenges. Speakers will discuss critical infrastructure security, zero trust identity management, data security, and more.
- 2025 SANS Zero Trust Survey Webcast & Forum: Exploring Challenges, Opportunities, and Innovative Solutions for a Secure Digital Future (September 17, 2025; webcast) - This webcast will explore the results of the 2025 zero trust survey that looked at how principles, such as identity management, micro-segmentation, and continuous verification, are being leveraged to build defensible security architectures and enhance organizational resilience.
- Office of Biometric Identity Management Strategic Plan for Fiscal Years 2025-2029 (white paper) - This paper charts a forward-looking path to enhance identity management capabilities across the Homeland Security Enterprise. It is focused on three strategic goals--Design and Delivery, Advocacy and Engagement, and Identity Innovation.
- Cryptographic Algorithms and Key Sizes for Personal Identity Verification (white paper) - This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in Federal Information Processing Standard 201-3 (FIPS 201-3).
- Use Secure Cloud Identity and Access Management Practices (white paper) - As organizations increasingly move away from traditional on-premises infrastructure in favor of cloud solutions, they unlock greater flexibility in collaboration and mission capabilities. This cybersecurity information sheet (CSI) sheds light on common threats to cloud identity management, and outlines key practices to help organizations safeguard their data and maintain secure access.
For further information on identity management in government, search for additional events and resources on GovEvents and GovWhitePapers.
