'Identity ecosystem' to replace passwords, draft strategy suggests

White house plan would base authentication on trusted digital identities

Imagine signing on to your computer, logging onto a secure Web site or handling a sensitive document electronically -- all without needing a user name or password.

The draft national strategy for building a new “identity ecosystem” that the Obama administration released June 25 would accomplish that, according to its developers. The ecosystem would base authentication on trusted digital identities instead.

The plan, named the National Strategy for Trusted Identities in Cyberspace, would lay a blueprint for an online environment in which online transactions for both the public and private sectors are more secure and trusted. The strategy identifies the federal government as “primary enabler, first adopter and key supporter” of the identity ecosystem.

In the language of the strategy, "In the envisioned identity ecosystem individuals, organizations, services, and devices would be able to trust each other because authoritative sources establish and authenticate their digital identities." What that means in real terms is that trusted providers such as a bank would issue security credentials that would then be accepted by other online resources such as social networking sites and e-mail providers. Rather than using a user name and password, the person would have the crediential on a device that would authenticate his or her identity to the computer and, by extension, to services that accept the credential. The strategy includes references to smart cards, USB drives, mobile devices, software certificates and trusted computing modules as possible authentication technologies.

The strategy provides a hypothetical case of of a woman whose husband has recently been in the hospital. She is able to access his medical information using her cell phone because everyone involved in the information exchange uses a "trustmark" that signifies they adhere to the identity ecosystem framework.

Related stories

White House plans strategy for better cyber authentication

The urgency behind solving the cyber identity problem

The woman would have established her digital identity when she subscribed to a cell phone service plan, and the phone carrier would have verified her identity based on defined standards and issued her a credential on her cell phone that she could use within the ecosystem. The hospital and her husband's primary care provider, in turn, would have validated and maintained the appropriate attributes needed to release the information. And at the very beginning of the process, her husband would have provided her name and phone number to the hospital and signed the needed documents to authorize release of his information.

“No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to log into various online services,” White House Cybersecurity Coordinator Howard Schmidt said in a post on the White House blog. “Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential…from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions.”

Schmidt’s office has been leading the effort and will continue to do so. The Homeland Security Department is collecting public comments on the plan through July 19. Schmidt said the strategy will be finalized this fall.

Officials say participation in the identity ecosystem must be voluntary. The draft document breaks the ecosystem down into execution, governance and management layers and explains how individuals, companies, and government would benefit from that online environment. For example, the document says individuals would get more security, efficiency, privacy and choice.

The document says goals for the strategy are to:

  • Develop a comprehensive identity ecosystem framework.
  • Put in place an interoperable identity infrastructure aligned with the identity ecosystem framework.
  • Bolster willingness to participate in that ecosystem.
  • Ensure the long-term success of the ecosystem.

The strategy also lays out high-level priority actions:

  • Designate a federal agency to lead the public/private sector efforts.
  • Develop a shared, comprehensive public/private sector omplementation plan.
  • Accelerate the expansion of federal services and policies that align with ecosystem.
  • Work among industry and government to put enhanced privacy protections in place.
  • Coordinate the development of risk models and interoperability standards.
  • Deal with liability worries of people and service providers.
  • Perform outreach and awareness activities.
  • Continue collaborating in international efforts.
  • Identify other ways to push for adoption of the identity ecosystem nationwide.

“There is a compelling need to address these problems as soon as is practical, making progress in the short term and planning for the long-term,” the document concludes. “For the nation to realize the vision of this strategy and associated benefits, all stakeholders must come together in a collaborative partnership.”


About the Author

Ben Bain is a reporter for Federal Computer Week.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Wed, Mar 16, 2011 vaughn Utah

This is scary as hell. It sounds good as explained in this article but have any of you READ the proposal? Think about it this way; the government is proposing a system that will protect our identities from anyone but the government. the govt will monitor every financial transaction made with anyone who opts-in. If anyone opts-in they will then HAVE to use the ID Ecosystem to do business. More government oversight and control is a BAD THING! This is not something the government should be handling. It should be handled by private industry. It should be something the government encourages outside, third party businesses to maintain. Remember my words as this is implemented and watch the increased control the govt takes over our financial lives. Remember the words in the book of Revelation about not being able to buy or sell without the mark of the beast. I know many of you just laughed at that comment, but hey, it's going down before our eyes.

Mon, Jul 12, 2010 John Q.

I believe this is a very worthy effort. Based on the overwhelming mistrust of government displayed in previous comments, the nay-sayers here appear to have no clue about or willingness to speak to the technology being discussed here. First off, this is not a matter of the government controlling individual Identities or Privacy- it is simply government policies driving the coordination of industry best practices for issuance and usage of Digital Identities. For the most secure requirements, use of a hardware based platform (Tokens or Smartcards) will allow the individual to have multiple highly secure Digitial Identities (for multiple uses) linked to Private Keys that will be created by and stored by the the individual on that secure platform, which will require additional user input of a Private PIN for use. With proper PIN assignment and management policies, if the user loses the hardware (token or smartcard), there is minimal risk of it being usable by any finder. Additionally, Individual credentials can be revoked by the User or the Issuer, blocking further access to the systems dependent upon those credentials. The draft stategy also promotes the issuance and use of these credentials with Online Government Services, which will help pave the way for Industry adoption for other uses. None of this is new technology (or re-inventing the wheel)- there are 10's of millions of users of this technology worldwide today. Additionally, US Industry has actually been promoting similar types of services for years (search on Identrust, Wells Farge PKI, SAFE-BioPharma for a few examples) for high value transactions. This draft strategy simply seeks to move proven technologies forward for individuals citizens. It is high time that the US move forward with a strategy to adopt more secure Digital Identities and I applaud all efforts put into this project.

Thu, Jul 8, 2010 Silver Fang

I think this is a horrible idea! Letting the government guard our privacy is like letting the fox guard the hen house. Government needs to stay the hell off our Internet and leave us alone!

Thu, Jul 8, 2010 Karla X

I haven't heard anyone complaining about using passwords. In fact I feel secure with me being the only one that knows MY password. This whole plan sounds like another attempt of the Obama administration to intrude and take away another one of our rights to freedom of privacy and CHOICE!

Mon, Jul 5, 2010

I would suggest that the Federal government practice by securing our borders...

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group