Authenticating Who You are Online

Cyberspace has security problems, and the U.S. government is trying to do something about it. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is promoting a plan and taking actions to move citizens beyond usernames and passwords to more powerful methods of authentication. In recent years, massive data theft has occurred in the cyber realm. Even strong passwords are vulnerable to hackers.

Identities are difficult to verify online, forcing many government and civilian transactions to occur in person to satisfy security needs. Furthermore, the complexity of having multiple passwords for myriad accounts means that many people abandon using certain Web services instead of going through the process to recover passwords they forget. Trusted identification could provide the foundation for a solution, explained Dr. Michael Garcia, deputy director, NSTIC National Program Office, National Institute of Standards and Technology (NIST), at the Biometric Consortium Conference.

To illustrate his point, Garcia explained that the U.S. Defense Department’s intrusion rate dropped 46 percent after the organization banned passwords in favor of common access cards with public key infrastructure. Costs, policy and other barriers prevent certain groups from following this model, however. The NSTIC has within it the idea of an identity ecosystem that will improve online trust. Officials believe the marketplace exists for such technology. Industry will lead the way with government serving as a convener, facilitator and catalyst, Garcia said. The private sector must determine how to build an ecosystem in which it can swap out technologies for various reasons.

The NSTIC announced yesterday its second round of pilot programs designed to spur necessary development. Five projects received funding, but another release of grant money is expected later this week or early next week to fund pilots focused on state benefits programs. In the last 15 months, NIST has awarded approximately $25 million in grants, because it believes large amounts of money and diversity are necessary to catalyze a marketplace. More funding is in the works for 2014.

Increasing online trust matters to Web businesses. Experts project that G-20 nations will spend $2 trillion on online retail sales in 2016. The number grows to $2.5 trillion if trust increases; it falls to $1.5 trillion if trust decreases. A problem facing the people trying to validate identities is privacy. “Privacy is increasingly complex as volumes of personal data grow,” Garcia said. Privacy along with civil liberties are fundamental, he added, so cybersecurity experts must figure out how to protect personal data as the norm while sharing only the necessary information to confirm persons.

Policy serves as a major impediment to many of the changes necessary to move online identity verification where NSTIC wants it to go. However, Garcia said policy is hard, but it matters. If written correctly, it will open doors to the broader market instead of promoting more stovepipes. “The rubber really hits the road in policy,” he stated.

The NSTIC and biometrics can combine, but the market will decide if that happens, Garcia explained. Any solution must be adopted by the common market. And despite announcements last week that biometrics identification will be added to the next iPhone release, much policy change still must occur before biometrics pervades the consumer space, he added.