Trusted Identities: Single sign-on or single point of failure?
Critics say NSTIC would amplify the impact of a security breach
- By Kathleen Hickey
- Feb 01, 2011
Critics continue to raise doubts about a new government online security strategy designed to eliminate multiple passwords for secure Internet sites.
In a forum on the topic earlier this month, U.S. Commerce Secretary Gary Locke said the National Strategy for Trusted Identities in Cyberspace, a public-private initiative, should be finalized within a few months. A draft of the strategy was released last June.
The forum was held in conjunction with the announcement of a new National Program Office within the Commerce Department to coordinate implementation of the program.
Described by the government as an “identity ecosystem,” NSTIC would allow users to have a single credential, such as a smart card or fingerprint reader, to access any website signed up with the program – eliminating multiple passwords and sign-ons. The government also envisions that the authentication system would allow users to limit the amount of information given according to the needs of the recipient. A pilot project funded by the European Union is testing a similar idea.
NIST: National ID is not part of ‘identity ecosystem’
Gawker hack: another glimpse into password practices
Revealed: our picks for the best password strategies
In theory, such a system could dramatically improve Internet security, reduce identity fraud and simplify online transactions. Weak passwords are not only a common security problem but frequently the biggest security problem. An analysis of hacked Gawker passwords found “123456” and “password” to be the most common passwords.
Some, however, are leery of the idea. J.D. Rucker of Techi, among others, compares the strategy to creating a single skeleton key that, if cracked, could allow for a much greater security issue than a single site password breach. The new system could also erode privacy, as companies could use the technology to gain access to additional data on users, either via sharing information between companies or demanding additional information from individuals in the name of improving security, writes. And because the system is being introduced by the government, writes Rucker, many individuals may be lulled into a false sense of security, believing it has appropriate safeguards in place to prevent security and privacy issues.
Mark Gibbs of Network World echoed Rucker’s sentiments, describing NSTIC as “ridiculous.”
“One serious data breach would provide a field day for the bad guys.… And all of this would be because the wonks at [the National Institute of Standards and Technology] think they can do what enterprises with far more experience in hardcore IT have learned the hard way: that unified security is incredibly difficult to implement even for a few thousand people. For tens of millions of citizens, it would be effectively impossible!” he writes.
In response to critics, the government has been adamant that NSTIC will not be a new national ID program.
“NSTIC does not advocate for a required form of identification,” states a NIST website on NSTIC. “Nor will the U.S. government mandate that individuals obtain an Identity Ecosystem credential (i.e., digital identity).... This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed.”
As an added safeguard, the voluntary system will not have a central user database. Instead, separate, nongovernmental companies will be responsible for managing their data. A user OK’d by one entity would be presumed safe by an affiliate.
"NSTIC could go a long way toward advancing one of the fundamental challenges of the Internet today, which is, 'Who do you trust?' " said Don Thibeau, chairman of the Open Identity Exchange, in a BusinessWeek article. “This gives us the rules, the policies that we need to really move forward."