In the next few years, usernames and passwords could gradually fade from popular use as a way to conduct business online. A public/private coalition is working on a new policy and technical framework for identity authentication that could make online transactions less dependent on these increasingly compromised identity management tools. A second round of federal grants from the group, expected this fall, will lead to continued work on what is expected to become a private sector-operated identity management industry.
“The fact is that the username and password are fundamentally broken, both from a security standpoint as well as a usability standpoint,” says Jeremy Grant, senior executive adviser for identity management with the National Institute of Standards and Technology (NIST), an agency of the Department of Commerce. As a result of such security weakness, cybercrime is costing individuals and businesses billions of dollars every year. An estimated 11.7 million Americans were victims of identity theft of some kind, including online identity theft over a recent two-year period, according to NIST, the federal agency tasked with setting cybersecurity standards.
Grant heads up NIST’s national program office for the National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative designed to work collaboratively with the private sector, advocacy groups, public sector agencies and other organizations to improve the privacy, security and convenience of sensitive online transactions. The NSTIC currently involves a broad coalition of organizations representing 18 different business and infrastructure sectors and 70 different nonprofit and federal advisory groups, all of which have been involved in the effort to develop the new framework. And, while the government strategy is aimed at promoting the creation of this identity confirmation framework, the goal is to encourage the private sector to develop and eventually run it as a viable service business.
Grant wryly notes that this year marks the 20th anniversary of the now-classic The New Yorker magazine cartoon depicting two canines sitting at a personal computer with the caption, “On the Internet, no one knows you’re a dog.” Even with the passing of 20 years, he suggests, nothing has changed regarding the basic truth behind the message, adding that some form of identity confirmation is vital for the future growth of the Internet.
“The notion is, if you can get people to use multifactor authentication and give people the option of binding to that credential real proof that they are who they say they are, you give people a tool they can use anywhere to go online,” he says.
Along with identity authentication, another significant plank of the NSTIC involves the issue of privacy. “If you only do security and identity authentication and don’t do privacy from the start, some very unfortunate things could happen,” Grant explains. Accordingly, any solutions resulting from the NSTIC program must be voluntary and privacy enhancing. “If someone comes to us with an idea that doesn’t have things such as user choice or data minimization as a principle, it’s not going to go far with us. You really need a way to change the model from what we’ve seen to date with online identity, in which the assumption is that your data belongs to someone else, and shift things to where the end user has more control and can be more involved in the process.”
The goal of the NSTIC is to establish what Grant calls an identity ecosystem. “The best way I can describe it is as a marketplace,” he explains. Within a few years he envisions an environment in which people can “choose from a wide variety of digital credentials that can be used anywhere that a person can go online in lieu of passwords to engage in digital transactions.” He emphasizes that the marketplace would not prescribe a specific solution, but instead would be the result of technical innovation in identity management going on primarily in academia and the private sector. “If the government were to try to specify a solution, or a set of solutions, we’d probably fail. Many entrepreneurs are working in this area, and the pace of innovation is so quick, there’s no way the government could get ahead of the innovation cycle in terms of what the next great technology is going to be.” Because of this, he acknowledges, the best path would be to lay out a strategy, defining how the ecosystem would look, and then work through a multi-stakeholder collaborative process.
The process to develop the identity ecosystem envisioned by the NSTIC has been underway for a little more than two years, yet no one model for how it would operate has emerged from the initial series of pilot programs NIST has funded. The best way to envision this concept working, according to Grant, is to think about how a Visa credit card, or any credit or debit card issued by a bank, works. Starbucks, for example, does not cares which Visa card a customer pays with. "They don’t care which bank issued it. All they care about is that it has the Visa logo on it, which is a trustmark,” he explains. That trustmark stands for a system that specifies how the card is authenticated at the point of the transaction. It specifies how many days it will take for Starbucks to be paid; how much the interchange fee will be for using the card network; and most importantly, what happens if something goes wrong with the transaction. Credit cards generally have policies written into their customer agreements dictating what happens when unauthorized purchases are made with a stolen card.
The NSTIC is working to develop a model similar to the bank credit card for online identity authentication, with multiple trustmarks that can be used to facilitate online commerce, citizen interaction with government and essentially any online activity in which a trusted identity is a must. Grant acknowledges that, “This is much less of a technology challenge at the end of the day, and it’s more of a policy and governance challenge. If I’m buying from Starbucks online, how do I come up with a framework that allows me to bring my own credential instead, and provide only those pieces of information that are needed to complete the transaction?” Such a framework, he adds, would replace the existing username and password model.
Because the effort depends heavily on private sector innovation and buy-in, Grant describes the process of developing the identity ecosystem as slow and deliberate. With that in mind, the coalition that makes up the NSTIC formed a steering group to guide the work of the coalition. The steering group is composed of representatives from 10 major banks; retailers such as Neiman Marcus; health insurance giant Aetna; information technology firms such as Microsoft, Oracle and Intel; representatives from payment networks such as Visa and MasterCard; and membership groups such as the AARP, which he says is very interested in identity authentication as a consumer protection issue for its members. Within the steering groups are subcommittees tasked with working on issues regarding the technology, policies and governance of the identity ecosystem.
The active participation of all these stakeholders is vital, Grant explains. Devising a framework that will be widely adopted by both individual users and the organizations that will depend on the successful implementation of policies and governance is one of the keys to success for the NSTIC.“We’re trying to catalyze the marketplace, and if there’s one thing that’s certain, when you’re trying to get something new into the marketplace, if it doesn't penetrate, it won’t work.”
Last fall, the NSTIC awarded its first five grants for pilot programs designed to test the viability of several technology based identity authentication projects. Those initial grants were worth a total of $9 million. This October, the NSTIC is expected to award another dozen grants to fund a new group of pilot programs. The groups engaged in the pilot programs range from small startup companies, which are using their grants to test fully developed identity solutions using guidelines developed under the NSTIC, to academic institutions engaged in technical research into multifactor authentication, biometrics and other areas. The steering group will select 12 successful awardees from 186 proposals that have been submitted to the NSTIC in recent months.
Legislation that authorized the creation of the NSTIC program within NIST and the Commerce Department specifies that the program will expire in 2016. Between now and then, the NSTIC will continue to dispense its grants and serve as a clearinghouse for the evaluation of products and services containing identity ecosystem standards. These standards will one day find their way into common online applications that require identity authentication. The NSTIC steering group, predicts Grant, could eventually evolve into a stand-alone industry group that would continue overseeing the identity ecosystem framework. NIST also is expected to continue its own research in the area under its broader mandate to evaluate and set cybersecurity standards.