Too Many Passwords? NIST Exploring Identity Standards
Washington Business Journal; Phoenix Business Journal, April 22, 2011
The White House released its strategy for developing an "identity ecosystem" on the Internet, where individuals could use a single credential to prove who they are instead of remembering multiple passwords.
The National Strategy for Trusted Identities in Cyberspace promises to make Internet transactions more convenient and secure. Services that are too sensitive to be conducted online now – such as signing mortgage documents – could move to the Internet. Consumers could choose from a variety of innovative identity credentialing services. Small businesses could avoid the cost of building their own log-in systems for e-commerce.
That's the vision, anyway. Some privacy advocates, however, fear that online credentials could increase identity theft if they aren't implemented with strong enough privacy protections.
Under the strategy, the National Institutes of Standards and Technology will work with the private sector and consumer advocates to develop standards for voluntary online credentials. Companies that meet those standards would then offer a variety of accredited identity credential options to Internet users – for example, a smart card, a unique piece of software on a smartphone, or a token that generates a one-time digital password. Users could then use this credential to conduct transactions on any website.
Internet users who are just browsing or posting comments online could remain anonymous.
The government's role in developing online credentials will primarily be that of facilitator. NIST will hold three workshops, beginning in June, on issues such as standards for credentials, how the accreditation process for these credentials should work, and privacy safeguards. It also will launch pilot programs to test some of the concepts developed by a steering group that will be led by the private sector.
"Working together, innovators, industry, consumer advocates, and the government can develop standards so that the marketplace can provide more secure online credentials – while protecting privacy – for consumers who want them," said U.S. Commerce Secretary Gary Locke.
He expects this effort "will jump-start a range of private-sector initiatives to enhance the security of online transactions."
Wave Systems Corp. , a data protection company based in Lee, Mass., welcomed the initiative. Its solutions use security capabilities already built into computer hardware.
"More than 400 million PCs today have built-in hardware security called a Trusted Platform Module, which serves as a secure vault to hold digital credentials," said Wave Systems CEO Steven Sprague. "Instead of having to remember dozens of passwords, users can log in to their device, and their device logs them in to their online accounts."
Such a system would require strong privacy protections to guard against ID theft, according to Identity Finder, an ID protection and data-loss prevention company based in New York.
"We all have Social Security cards, and it took decades to realize that we shouldn't carry them in our wallets," said Aaron Titus, Identity Finder's chief privacy officer. "Now we will have a much more powerful identity credential that lets us carry it in our wallets, phones, laptops, tablets, and other computing devices.
"The stakes are high, and if implemented improperly, an unregulated identity ecosystem could have a devastating impact on individual privacy," Titus said.
Privacy advocates were pleased that the credentials system will be voluntary. Plus, since the credentials will be provided by a variety of sources, there will be no single, centralized database of personal information.
"Having a single issuer of identities creates unacceptable privacy and civil liberties issues," Locke said.
"There's no doubt the vision is right," said Leslie Harris, president and CEO of the Center for Democracy and Technology.
The question is whether the private sector will step up and do what's necessary to make sure consumer privacy continues to be protected. Since technology will continue to evolve, the government will have to stay involved with the industry-led credentialing process, said Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University and a former senior staff engineer at Sun Microsystems Inc.
Harris said government officials should bring a spray bottle and catnip to these meetings.
"It's going to require a level of cat herding and staying on it for the government," she said.