ID management’s weakness: ‘There is no demand’

The technology for strong authentication is there, but adoption is a challenge

The administration is putting the final touches on its National Strategy for Trusted Identities in Cyberspace (NSTIC), which is intended to lay the foundation for a digital ecosystem to better manage online identities, but it could face an uphill battle in public adoption.

Schemes for strong authentication have come and gone over the last 20 years, from the ill-fated Clipper Chip to digital signatures, because there has been no consumer demand for them, said James Lewis, director and senior fellow of the Center for Strategic and International Studies’ technology and public policy program.

“How do you get people to buy what they don’t want?” Lewis asked Thursday during a conference on ID management hosted by the Digital Government Institute. “There is no demand for better identity.”


Related coverage:

NIST: National ID is not part of 'identity ecosystem'

Internet ID system challenge: Balance security and privacy


The technology exists to provide strong online authentication, said both Lewis and Homeland Security Department CIO Richard Spires. The trick is to make it scalable, interoperable and easy to use. The public has generally resisted authentication technology more complex than user names and passwords, except when it is required.

Even when a technology is required, implementation can be a challenge. A case in point is the government’s Personal Identity Verification Card, mandated for executive branch employees and contractors by Homeland Security Presidential Directive 12 in 2004. Lewis called HSPD-12 a “powerful success” that “lays a foundation for strong authentication in the future.”

But for the time being it still is seeing limited use in much of government and demonstrates the difficulty of making large-scale identity management program work.

Seven years after the directive, “we’re finally making some progress as DHS,” in issuing the PIV Card, Spires said. Some 180,000 cards have been issued to employees and contractors, primarily in the National Capital Region near Washington. But that is the low-hanging fruit, and issuing cards to all the department’s geographically dispersed workers “is a daunting exercise” that could take years to complete, Spires said.

Issuing the cards is only the first step. Making use of its functionality for enabling physical and logical access control is a separate issue.

“We are going to mandate the use of the card for logical access” at DHS headquarters this fiscal year, Spires said. At least, “that’s our goal. We are trying to make it happen.”

DHS agencies, including the Federal Emergency Management Agency and Immigration and Customs Enforcement, have what Spires called aggressive plans to implement logical use of PIV Cards, but that remains several years out, he said.

The issue of authenticating non-government personnel is a separate issue. The DHS Identity Credentialing and Access Management Program Management Office is working to develop a two-factor authentication model for non-federal access to DHS resources for information sharing. Access to networks now is based on user name and password, and “there are significant issues because of that,” Spires said.

What technology will be used for two-factor authentication will be enabled has not yet been decided, Spires said. “We are looking right now at a number of different solutions.”

A draft of the NSTIC was released last summer and a program office has been established in the Commerce Department.  The strategy does not define the technology to be used, but sets out four guiding principles:

  • The identity solutions must be secure and resilient.
  • They must be interoperable.
  • They will be voluntary.
  • They must cost effective and user friendly.

The strategy also is defining what it is not. “NSTIC does not advocate for a required form of identification,” says a FAQ on a NIST website explaining the program. “Nor will the U.S. government mandate that individuals obtain an Identity Ecosystem credential (i.e., digital identity). . . . This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed.”

In order to spur adoption of strong authentication tools, Lewis said the strategy will have to specifically lay out the benefits of the scheme, define a mechanism for assigning liability for the misuse, abuse or theft of credentials, and define the government’s role in the new ecosystem.

One model for the new identity ecosystem could be the credit card, Lewis said. It is voluntary, widely adopted, user friendly, and even though it does not provide strong authentication, liability for misuse has been defined by government regulation and accepted by the financial services industry.

Any new scheme for trusted identities will have to clearly identify benefits beyond those currently offered by credit cards.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Wed, Feb 23, 2011

ditto to first comment, see Hegelian Dialectic

Tue, Feb 15, 2011

How to make a demand? - Create a crisis: terrorism. - Create a public nuisance: TSA - Offer a special ID as an alternative to TSA abuse!

Sat, Feb 5, 2011 Robert "Bob" Donelson Washington DC

What a Difference 24 Hours makes in a Story and How Can it Be that the CIO of DHS can be so far out of Step with the Policy that just came out of DHS and OMB on making FICAM Normative and Accelerate the Use Across all Logical Access. OMB Memorandum 11-11 is such a different direction for DHS as well as the rest of the Government than the Interviewed Professionals in this Article seem to Grasp.

Fri, Feb 4, 2011 RW

It would be nice if the HSPD -12 credential was truly functional at other organizations. However, e.g., the Pentagon security DEMANDS two forms of ID, HSPD-12 or not. (January 2011)

Fri, Feb 4, 2011 Betty Pierce, GSLC Colorado

James Lewis hit the nail on the head again, and the posted comments also make good points. Agree that the 'not invented here' mindset is an outmoded approach that is costly and should be strongly discouraged... The example of the USDA success in rolling out a flexible, architected solution that results in achieving the objectives of HSPD-12 while saving costs translates to a very good candidate for replication...

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above