Single sign-on, trusted identities move closer to reality
Revised with clarifications, Feb. 8, 2013, 5:30 PM.
It could well be that 2013 is the year when single-user sign-on, managed through the cloud, starts making real progress in government. And if it works for public-sector employees, it could be extended to give everyone access to a trusted, interoperable identity.
That’s more or less the goal of the President’s National Strategy for Trusted Identities in Cyberspace. And that’s just one indication that this is moving forward.
The National Institute of Standards and Technology is hosting a conference this month to solicit ideas on how such a program could be implemented, with the goal of setting up standards and policies managed by the independent Identity Ecosystem Steering Group, that would ensure that private identity providers are maintaining consistent security and privacy for the personal information they are storing.
The Postal Service is soliciting bids from vendors to run a pilot program to create a trusted and easily managed means of allowing citizens to access government services without establishing authentication directly with agencies. NSTIC also has awarded grants for five other pilot programs, each working on a different aspect of an identity ecosystem.
Even Microsoft is getting into the act with the release of a new single sign-on preview for Windows Azure, Office 365 and e-mail programs, according to GigaOm. Microsoft rival Google already has been showing a form of this, with users able to log into one service, such as Google+, and have their identity carry over when they use Gmail and other products. Those credentials can even be used to verify user identities with third-party programs.
Although the shape and exact form of a trusted identity ecosystem is still being worked out, everyone seems to be moving in the same direction in few key areas. So we can safely describe some of the advantages of such a system, and also how it would probably work in certain areas.
The Postal Service program would allow development of a privacy-enhancing technical solution to allow citizens to use digital credentials they already obtained from government-approved commercial identity providers to access federal government services online.
Once a Trusted ID system was in place, users who wanted to do something like online banking, or even something as mundane as post a comment on a blog, the site could ask if the user had a Trusted ID. Or, a lower-ranking identity credential could be used, especially if the transition did not require such a high degree of security, thus further protecting personal information. That ID would be used instead of forcing a user to register with the site or looking through a long list of passwords if one was already set up. And, many transactions that previously required face-to-face meetings, like signing a mortgage document, could be conducted remotely because the identity of the user would already have been established.
This is better procedure from a security standpoint as well, because each business wouldn’t need to collect personal information for each user and then keep it safe. Instead, that information would be stored by the any number of private identity providers who would follow the standards setup by the Identity Ecosystem Steering Group. Users would need only to supply their Trusted IDs to prove who they were, not their actual personal information. The business on the other end would trust the information provided, since the identity management firms followed the government standards for security and record-keeping.
The technology to make this happen isn’t too far fetched, and is already being used in small doses. For example, many blog programs today ask users to verify themselves using a Google or Open ID. The blog doesn’t really need much in the way of information, just proof that a user is a human being and not a bot, so it easily accepts the Google ID even though it’s not actually associated with Google in any way. But it knows that Google has already verified the user, so it accepts that level of trusted ID.
And Microsoft actually has four different levels of trusted ID working already, from a simple Windows single sign-in system all the way up to an enterprisewide identity engine.
Of course, something like an online banking program would require the highest level of trust, but presumably that is the type of system that would be built, or at least backed, by the federal government. With NSTIC’s pilot programs and commercial providers all pulling in the same direction, single sign-on systems just might be on the horizon.