Trusted Identities: Single sign-on or single point of failure?

Critics say NSTIC would amplify the impact of a security breach

Critics continue to raise doubts about a new government online security strategy designed to eliminate multiple passwords for secure Internet sites.

In a forum on the topic earlier this month, U.S. Commerce Secretary Gary Locke said the National Strategy for Trusted Identities in Cyberspace, a public-private initiative, should be finalized within a few months. A draft of the strategy was released last June.

The forum was held in conjunction with the announcement of a new National Program Office within the Commerce Department to coordinate implementation of the program.

Described by the government as an “identity ecosystem,” NSTIC would allow users to have a single credential, such as a smart card or fingerprint reader, to access any website signed up with the program – eliminating multiple passwords and sign-ons. The government also envisions that the authentication system would allow users to limit the amount of information given according to the needs of the recipient. A pilot project funded by the European Union is testing a similar idea.


Related coverage:

NIST: National ID is not part of ‘identity ecosystem’

Gawker hack: another glimpse into password practices

Revealed: our picks for the best password strategies


In theory, such a system could dramatically improve Internet security, reduce identity fraud and simplify online transactions. Weak passwords are not only a common security problem but frequently the biggest security problem. An analysis of hacked Gawker passwords found “123456” and “password” to be the most common passwords.

Some, however, are leery of the idea. J.D. Rucker of Techi, among others, compares the strategy to creating a single skeleton key that, if cracked, could allow for a much greater security issue than a single site password breach. The new system could also erode privacy, as companies could use the technology to gain access to additional data on users, either via sharing information between companies or demanding additional information from individuals in the name of improving security, writes. And because the system is being introduced by the government, writes Rucker, many individuals may be lulled into a false sense of security, believing it has appropriate safeguards in place to prevent security and privacy issues.

Mark Gibbs of Network World echoed Rucker’s sentiments, describing NSTIC as “ridiculous.”

“One serious data breach would provide a field day for the bad guys.… And all of this would be because the wonks at [the National Institute of Standards and Technology] think they can do what enterprises with far more experience in hardcore IT have learned the hard way: that unified security is incredibly difficult to implement even for a few thousand people. For tens of millions of citizens, it would be effectively impossible!” he writes.

In response to critics, the government has been adamant that NSTIC will not be a new national ID program.

“NSTIC does not advocate for a required form of identification,” states a NIST website on NSTIC. “Nor will the U.S. government mandate that individuals obtain an Identity Ecosystem credential (i.e., digital identity).... This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed.”

As an added safeguard, the voluntary system will not have a central user database. Instead, separate, nongovernmental companies will be responsible for managing their data. A user OK’d by one entity would be presumed safe by an affiliate.

"NSTIC could go a long way toward advancing one of the fundamental challenges of the Internet today, which is, 'Who do you trust?' " said Don Thibeau, chairman of the Open Identity Exchange, in a BusinessWeek article. “This gives us the rules, the policies that we need to really move forward."

Reader Comments

Wed, Feb 2, 2011 steven sprague lee, ma

To avoid a single credential leverage the device. NSTIC includes language to support the Trusted COmputing Group standards to solve this problem. The solution is that you log into your device and then your device includes credentials (that are different for each service) that log you into each service. In this way the hardware security of your PC or Your Phone can be used to protect your access to the services you belong too. Trusted Platform Modules are on over 400 million PCs today. The challenge is that the services need to support access control with strong credentials. This is a good role for goverment to push those services that have sensitive data to use stronger methods of authentication. The trusted computing standards allow for isolation between credentials and strong privacy controls. The tools are their to manage lost or stolen devices and multiple devices and multiple users. It is time for a solution to the authentication challenge. Leveraging your devices is a great way to help. Not a silver bullet but a very strong move forward.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above