Technologies for trusted online identities put to the test
Grants totaling more than $9 million have been awarded to five innovative pilot programs for managing online identity under the National Strategy for Trusted Identities in Cyberspace.
The pilots, being conducted by government agencies, private companies and academic institutes, are a step toward the White House’s goal of creating a digital identity ecosystem that will make online transactions more secure and ensure personal privacy.
“The last couple of months we have transitioned from a start-up program and have achieved key milestones,” said Jeremy Grant, head of the NSTIC National Program Office, which is headed by the National Institute of Standards and Technology.
The Obama administration in 2011 released its National Strategy for Trusted Identities in Cyberspace, a framework for a system of voluntary, interoperable credentials that could be accepted by both government and businesses for online transactions. The goals are to enable more economic and government activity on the Internet while ensuring consumer privacy and security.
The program has established an industry-led steering group with 1,100 individuals from 450 companies and organizations. The first round of one- and two-year pilot grants is intended to help almost-ready identity management schemes and technologies make the transition to real-world deployment.
“What we are trying to do is catalyze the marketplace,” said Grant.
Although technologies for strong authentication already are in use, the challenge with the growth of the Internet has been to make them scale for broad adoption. The user ID and password combination widely used today rapidly becomes burdensome both for users and administrators when strong passwords are required across multiple accounts. Tokens and digital certificates are expensive when used for one-off applications and complex to manage when used for multiple applications.
NSTIC wants to develop a commercial environment capable of leveraging the advantages of multiple interoperable schemes, making them affordable and secure for agencies as well as businesses.
Grant cited four main hurdles to widespread adoption of strong digital authentication:
- Privacy. Organizations providing and authenticating online credentials must be able to exchange information with parties relying on those credentials while maintaining the user’s privacy. Exposure of personal information must be limited.
- Usability. Any widely adopted scheme must be easy both for end users and relying parties to manage. Maintaining secure passwords for multiple accounts already is a headache; multi-factor authentication can be even more cumbersome. “In the commercial space, it’s a hard sell,” Grant said.
- Interoperability. This is tied to cost as well as scalability. It can be difficult to justify the expense of single-use credentials. Standards-based, interoperable schemes can increase value by making them accepted for multiple purposes.
- Liability. Who is responsible when something goes wrong? Industry wants a level of regulatory certainty so that financial risk can be identified, mitigated and accepted, and this will require laws and regulations.
NSTIC is a balancing act between public- and private-sector initiatives. Although government and the national economy stand to benefit from strong and scalable online identity verification, stakeholders agree that if government tries to run the show, it will fail.
“The role of government is to spur development of these things” through funding and a favorable regulatory climate, said Phillip Soloweszyk, CTO of Dell’s public sector group. The grant programs are a step in that direction. “Instead of development coming in a silo, we see government and industry working together,” he said.
The grants, which range from about $1.6 million to $2 million each, are an affordable and effective way to spur development, Soloweszyk said. “Enough to show we really mean it.”
The five grantees were selected from 186 applications. Grant said those selected all include a broad range of collaborating partners working in health care, retail, banking, government and education, and are not R&D efforts.
“They are focused less on developing new technologies than on taking leading edge technologies and getting them into the hands of the public,” he said. All of the programs include plans for moving from the pilot stage to a production phase.
Grant said three to four additional rounds of pilot funding are anticipated, depending on budgets for the coming years. At that point the program office expects to begin winding down. “We have actually planned for our own demise,” he said.
Programs in the first round are: The American Association of Motor Vehicle Administrators, Criterion Systems, Daon Solutions, Resilient Network Systems and the University Corporation for Advanced Internet Development (Internet2).
NEXT: What each of the programs are doing to test trusted identity solutions.