ID management’s weakness: ‘There is no demand’
The technology for strong authentication is there, but adoption is a challenge
The administration is putting the final touches on its National Strategy for Trusted Identities in Cyberspace (NSTIC), which is intended to lay the foundation for a digital ecosystem to better manage online identities, but it could face an uphill battle in public adoption.
Schemes for strong authentication have come and gone over the last 20 years, from the ill-fated Clipper Chip to digital signatures, because there has been no consumer demand for them, said James Lewis, director and senior fellow of the Center for Strategic and International Studies’ technology and public policy program.
“How do you get people to buy what they don’t want?” Lewis asked Thursday during a conference on ID management hosted by the Digital Government Institute. “There is no demand for better identity.”
NIST: National ID is not part of 'identity ecosystem'
Internet ID system challenge: Balance security and privacy
The technology exists to provide strong online authentication, said both Lewis and Homeland Security Department CIO Richard Spires. The trick is to make it scalable, interoperable and easy to use. The public has generally resisted authentication technology more complex than user names and passwords, except when it is required.
Even when a technology is required, implementation can be a challenge. A case in point is the government’s Personal Identity Verification Card, mandated for executive branch employees and contractors by Homeland Security Presidential Directive 12 in 2004. Lewis called HSPD-12 a “powerful success” that “lays a foundation for strong authentication in the future.”
But for the time being it still is seeing limited use in much of government and demonstrates the difficulty of making large-scale identity management program work.
Seven years after the directive, “we’re finally making some progress as DHS,” in issuing the PIV Card, Spires said. Some 180,000 cards have been issued to employees and contractors, primarily in the National Capital Region near Washington. But that is the low-hanging fruit, and issuing cards to all the department’s geographically dispersed workers “is a daunting exercise” that could take years to complete, Spires said.
Issuing the cards is only the first step. Making use of its functionality for enabling physical and logical access control is a separate issue.
“We are going to mandate the use of the card for logical access” at DHS headquarters this fiscal year, Spires said. At least, “that’s our goal. We are trying to make it happen.”
DHS agencies, including the Federal Emergency Management Agency and Immigration and Customs Enforcement, have what Spires called aggressive plans to implement logical use of PIV Cards, but that remains several years out, he said.
The issue of authenticating non-government personnel is a separate issue. The DHS Identity Credentialing and Access Management Program Management Office is working to develop a two-factor authentication model for non-federal access to DHS resources for information sharing. Access to networks now is based on user name and password, and “there are significant issues because of that,” Spires said.
What technology will be used for two-factor authentication will be enabled has not yet been decided, Spires said. “We are looking right now at a number of different solutions.”
A draft of the NSTIC was released last summer and a program office has been established in the Commerce Department. The strategy does not define the technology to be used, but sets out four guiding principles:
- The identity solutions must be secure and resilient.
- They must be interoperable.
- They will be voluntary.
- They must cost effective and user friendly.
The strategy also is defining what it is not. “NSTIC does not advocate for a required form of identification,” says a FAQ on a NIST website explaining the program. “Nor will the U.S. government mandate that individuals obtain an Identity Ecosystem credential (i.e., digital identity). . . . This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed.”
In order to spur adoption of strong authentication tools, Lewis said the strategy will have to specifically lay out the benefits of the scheme, define a mechanism for assigning liability for the misuse, abuse or theft of credentials, and define the government’s role in the new ecosystem.
One model for the new identity ecosystem could be the credit card, Lewis said. It is voluntary, widely adopted, user friendly, and even though it does not provide strong authentication, liability for misuse has been defined by government regulation and accepted by the financial services industry.
Any new scheme for trusted identities will have to clearly identify benefits beyond those currently offered by credit cards.