At a US Chamber of Commerce event today, the federal government rolled out its vision for robust online credentials that it hopes will replace the current mess of multiple accounts and insecure passwords. The choice of the Chamber of Commerce wasn't an accident, either; the government wants to squelch any talk of a "national Internet ID card" and emphasize that the plan will be both voluntary and led by the private sector.
The National Strategy for Trusted Identities in Cyberspace (NSTIC) hasn't changed much since the draft plan unveiled in January, though the final version (PDF) contains an even stronger emphasis on NSTIC being a private-sector, voluntary undertaking. This point was stressed so many times in a background briefing call for reporters this morning that it's clear the government fears a potential backlash against its efforts.
The final version of NSTIC tries to address two problems: the fact that passwords are "broken" and the fact that it's almost impossible to prove your identity on the Internet. The future belongs to smart cards, cell phones, USB security sticks, and similar solutions—when the Department of Defense moved away from passwords to a smartcard security solution, it saw network intrusions drop by 46 percent.
The goal of the system is simple: create the baseline tools needed for online commerce to thrive. Indeed, the first sentence of the NSTIC final report reads: "A secure cyberspace is critical to our prosperity." The government hopes to enable whole new classes of online activity, such as dealing with health records or signing mortgages, that today few people would trust to the Internet. It also hopes to slow rampant ID theft, which it claims costs more than $600 per incident to fix.
The government hopes to facilitate this new ecosystem, one that will be interoperable and run largely by private parties. Under the plan, Internet users could go to any private credential provider of their choice and verify their identity, then use that credential to log in to any site which supports the identity ecosystem. Have one credential from Google and another from Verisign, but want to log in to Facebook? Either credential should work.
Users can choose how many credentials they acquire, what information is contained in each, and how much information is revealed at login.
For example, student Jane Smith could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. If she uses one of these credentials to log into her Web email, she could use only her pseudonym, "Jane573." If however she chose to use the credential to log-in to her bank she could prove that she is truly Jane Smith. People and institutions could have more trust online because all participating service providers will have agreed to consistent standards for identification, authentication, security, and privacy.
The program will be coordinated by the National Institute of Standards and Technology (NIST), the part of the Commerce Department that has set national standards since 1901. NIST will coordinate the new strategy but insists it will be led by the private sector, that privacy is paramount, and that consumer advocates and privacy groups will be part of the process.
NIST hopes to arrive at privacy standards that will give Internet users confidence in using such credentials, to clarify the liability that credentials providers will face should someone still manage to steal your identity, and to issue a "trustmark" that accredits participating credential providers and websites.
Public meetings on NSTIC begin in June, and NIST hopes to be funding pilot projects by 2012. Still, ordinary Internet users won't be able to use the system for three to five years.
reader comments
123