The federal government's National Strategy for Trusted Identities in Cyberspace (NSTIC) program is trying to identify more secure alternatives to simple passwords that the government as well as anyone else might use in authenticating to online applications.
The federal government's National Strategy for Trusted Identities in Cyberspace (NSTIC) program, set up this spring, is making progress against its goal of identifying and supporting more secure alternatives to simple passwords that the government as well as anyone else might use in authenticating to online applications.
"We're trying to get rid of passwords. It's time for something better," says Jeremy Grant, senior executive adviser at the National Program Office for NSTIC, located at the National Institute of Standards and Technology. The federal government, he says, can lead in working with industry on better types of authentication for large-scale use that may be deemed preferable to passwords. The next step in this project involves setting up a steering committee with industry to foster consensus on standards and guidelines, with a slew of pilot projects expected next year, based on current budget expectations.
Though the budget process is not complete, the Obama administration has $25 million allotted for the NSTIC program, and out of that, "$17.5 million is for pilots," says Grant, adding, "We haven't published yet what the criteria will be." However, the idea at present is to conduct about half a dozen pilot projects for strong authentication, making the funds available perhaps through a grants process.
The ambitious NSTIC program envisions an "identity ecosystem" of the future where there will be established ways to clearly assess identity in issuing credentials through approved assessors. Grant says the government is looking to private industry to take the lead on that in general. And though there will likely need to be standards and specifications for any identity ecosystem, especially in order to foster interoperability, Grant says NIST won't be writing these standards but trying to play the role of "facilitating the creation of consensus-based standards."
Grant says "the government is uniquely qualified to tackle the problem" of ushering in ways citizens could use stronger authentication than passwords not only in their necessary interactions online with the government but also perhaps in business as well. But the private sector is being given the lead in technologies for this because under NSTIC, "we're trying to get the government out of the identity business." But he says the government does want to make sure whatever comes about is done with suitable privacy safeguards -- plus complex legal and policy issues may well have to be sorted out.
Grant acknowledges that in trying to find common ground on which the high-tech industry and privacy advocates such as the Center for Democracy and Technology can all somehow stand together isn't necessarily easy, noting it can feel like "one of the largest cat-herding challenges of all time." He adds "there will be no central database under NSTIC," though if the government adopts NSTIC-approved services in the future for its own use, there would probably be a need to keep an audit trail for purposes of security.
"We can be an early adopter," he says, noting this would help the government bring online applications to the public that it can't do today because a password is simply not strong enough authentication.
"Passwords not only don't help provide much security, in many cases they can put the consumer at risk," says Don Thibeau, chairman of the Open Identity Exchange (OIX), whose membership -- which includes Google -- interacts with the federal NSTIC program. (OIX was set up as a sister organization to the OpenID Foundation, for which Thibeau serves as executive director.)
There's a need for "Internet identity standards on an Internet scale," says Thibeau. OIX is presenting its ideas related to OpenID and OAuth specifications, and its membership is interested in participating in pilot projects under NSTIC. But Thibeau also expects to see the private sector doing a few of its own pilot projects later this year with OIX sponsoring some interoperability and security pilots between Google, AOL and Hotmail email systems. The goal is to try to "define best practices for security on a cross-platform basis." He adds: NSTIC is "challenging security architects to come up with new thinking."