Can the Obama administration fix your identity management problems?
Too many passwords and usernames for websites, and what level of assurance is there in the identity of the individual anyway? How can anyone prove their age online? Back in April, when it was announced, the White House took on these tough questions with its "National Strategy for Trusted Identities in Cyberspace" initiative, now known as NSTIC.
Background: NSTIC and the feds HUA problem
The White House pledged to work with industry to establish an "identity ecosystem" of approved processes and technologies to foster some kind of new way to issue digital credentials to end users, whether consumers, business and the federal government.
The idea is to pave the way for a higher level of trust in online communication. As President Obama put it in his opening preface to the NSTIC document, "The potential for fraud and the weakness of privacy protections often leave individuals, businesses and government reluctant to conduct major transactions online. For example, providing patients with access to their medical records from their home computers requires that hospitals be able to confidently identify that patient online." The goal of the NSTIC strategy, he said, is to find something a lot better than "insecure passwords" in order to make "online transactions more trustworthy."
But is NSTIC going to be the next big thing in identity credentialing, or just another idea that comes to naught in a federal bureaucracy caught in the grip of a debt-reduction spiral and the headwinds of a coming political election season?
There's now a National Program Office for NSTIC headed by senior executive adviser Jeremy Grant at the National Institute of Standards and Technology. Workshops have been held, attended by a crowd of vendors, including giants like Verizon and AT&T, and Google participating though the OpenID Foundation's sister organization that was set up, Open Identity Exchange. Other groups with identity-management savvy, including Kantara Initiative, (whose 80 members include CA, Oracle, AOL, the Information Card Foundation, the Boeing Company and the National Notary Association) are making their voice heard. There's expectation that a steering committee will soon be formed by the NSTIC office, and that pilot projects will be funded.
"We want to make it easier for everyone to do business online," says Mark Shapiro, senior strategist in the area of identity and access management at Verizon, about what he sees as the NSTIC's goals, which include setting some kind of standards — it's still uncertain what will happen — for establishing trust in an issued credential. Shapiro says Verizon, which has long-time experience in issuing public-key identity certificates to the government, wants to be part of any "identity ecosystem" that finally takes shape.
"Actual authentication of that person could take multiple forms," Shapiro says. "Say, I hit the Best Buy site and you want to log in, you do it with a Verizon ID," and an array of other checks could come up, perhaps generating a one-time password to a mobile phone that could be entered.
The NSTIC meetings are trying to focus on ways to protect privacy and keep things user-centric. "The mechanisms are probably tied back to some degree of trust level," he says, adding, "It's agreed-upon that the government will not be in the role of repository and identity provider. The private sector can do that better." Shapiro says he's optimistic the NSTIC program will survive the political storms of Washington because there's nothing in it that's "partisan."
"Kantara has an established process of managing the issuance of identity credentials and assessing identity," says Richard Wilsher, CEO of Zygma, a Kantara member who is part of the Kantara sub-group that presented formal comments to the NSTIC office last month. "We need competent assessors" who can do "identity proofing and vetting of credentials" Wilsher says. He says the government's intentions in NSTIC are to "push the problem into hands of industry but purchase services from industry."
Wilsher says there could be four levels of assurance from low to high in an assurance model of trusted identities, with PKI used for higher level. NIST may be the one to develop the NSTIC standards, which may be a design-level or API. But he says it could also be done outside NIST as well.
Kantara already has accredited one identity assessor, eValidat8, with more under review. One participant in Kantara, The SAFE-BioPharma Association, whose more than two dozen members include Abbott, Pfizer and Eli Lilly, want to be able to have reliable credentials so they can conduct business with each other, Wilsher says.
With NSTIC, "it's essential to have pilots" to show that any federally blessed identity ecosystem really works in the real world, he says, adding interoperability should be an essential element in how it all works.
Security questions are already haunting this nascent federal initiative. For instance, it seems likely that massive databases about individuals, their credentials, where they might be accepted online, and so forth could proliferate, at least in the private industry. The government might certainly retain a database as pertains to its own employees. "Are the gains of having the processes greater than the risk of exposure?" asks Wilsher, noting the concerns are certainly there already.
Online identity, still largely based on re-usable passwords, "is horribly broken," says Paul Simmonds, co-founder and board member of the Jericho Forum, operated under the aegis of the Open Group, Simmonds has been closely watching the identity ecosystem effort unfold in Washington, and the idea that there might one day end up being giant databases around all of it worries him.
Passwords were risky enough when the corporate network of old was in the hands of the IT department, but that is increasingly not the case today as cloud services proliferate, he points out. Lack of a trusted-identity framework is hurting businesses, he says. "Banks will tell you what's killing them is lack of strong identity. We've ignored the technology. Now we need to take it back to first principles."
The Jericho Forum recently published its own foundation principles for identity — in the "Ten Commandments" format that has rallied its membership in the past on other debated issues, such as contending firewalls guarding the perimeter is an outmoded idea. Among these "identity commandments" are ideas such as "all core identities must be protected to ensure their secrecy and integrity."
"The core identity is you," Simmonds says. "Your human core identifier is your face. The key trick is the only one who can use it is you."
Simmonds believes that once a strong identifier such as a face biometric is established, "It allows you to create a persona and link to it. The important thing is you can't go back up the tree to the root."
He says the kind of identity ecosystem that would be preferred is one that doesn't depend on giant databases of information but relies simply on trusted and secure registration of a core identity, and perhaps use of technologies like chip-based cards. "They don't need to know who I am or anything about it. I can prove immutably I'm me." In a one-way chain of trust, a name is simply an attribute, but personas could change based on what the individual wanted, including anonymity. "It's under the user control and allows you to separate your life up, " Simmonds points out.