The White House unveiled guidelines for establishing secure online credentials to boost confidence and business online.
The Department of Commerce unveiled the plans for National Strategy for Trusted Identities in Cyberspace at a release event on April 15 to protect the privacy and security of Internet users by encouraging the creation of secure and reliable online credentials for consumers who want to use them.
“The fact is that the old password and username combination we often use to verify people is no longer good enough,” Commerce Secretary Gary Locke said at the event. The current system leaves “too many consumers, government agencies and businesses vulnerable” to identity thieves and criminals intent on stealing information, Locke said.
The identity ecosystem would revolve around credentials stored outside of the actual Website, application or service, and would eliminate the need for unique passwords, Locke said.
With the increasing amount of identity theft and online fraud, consumers don’t trust the Internet. “It will not reach its full potential, commercial or otherwise, until users and consumers feel more secure,” Locke said.
The technologies described in NSTIC would allow online users to stop using unique passwords on each site and instead use a set of credentials that are accepted by multiple sites. The goal is to not have just one trusted identity technology or provider, but to have several and let users choose which ones to use.
Since consumers will be able to choose among a diverse market of different providers of credentials, there will be no single, centralized database of information. Consumers can use their credentials to prove their identity when they’re carrying out sensitive transactions, like banking, and can stay anonymous when they are not, said privacy advocate Susan Landau, a fellow at Harvard University who was on the panel discussing the latest NSTIC plan.
Under the identity ecosystem, online businesses will collect the minimal amount of information necessary from credential providers in order to process the transaction. For example, if a consumer wanted to buy alcohol online, the only identity information the business needs is to confirm that the consumer is over 21, Matthew Gardiner, director of security at CA Technologies, told eWEEK.
“Working together, innovators, industry, consumer advocates and the government can develop standards so that the marketplace can provide more secure online credentials, while protecting privacy, for consumers who want them,” said Locke.
A single issuer of identities creates unacceptable privacy and civil liberties issues, which is why the focus is on having several trusted identity credentials that consumers can choose between. Perhaps the user will apply one set of credentials when researching health topics and use another when trying to get free shipping. The key is to adjust identity requirements to the task on hand.
This is not a government-mandated national ID program, Locke insisted. “We don’t think that’s a good model, despite what you might have read on blogs frequented by the conspiracy theory set,” Locke said.
Initially proposed in June, the plan has not changed much since the previous draft plan unveiled in January, although the final version has stronger language emphasizing that NSTIC will be driven by the private sector and strictly voluntary.
“It gives consumers more control and more choice about their online identities. It makes it clear that it’s voluntary,” Leslie Harris, president and CEO of privacy advocacy group Center for Democracy and Technology, said on the panel.
The secure credential could be a piece of software on a mobile device, a smartcard or a small token that generates one-time passwords. The technology will come from the private sector, and the government will collaborate by developing necessary standards and policies to implement the ecosystem.
“We also want to spur innovation, not limit it,” Locke said.
As part of the event, there were several companies demonstrating their existing technologies that can be used to create the proposed identity ecosystem. CA Technologies showcased its identity and access management platform, including CA SiteMinder, CA Arcot WebFort and CA Arcot RiskFort. Certipath and Microsoft also were part of the demonstration.
The National Institute of Standards and Technology will host three workshops to focus on problems with development and adoption of these online authentication technologies. Businesses, consumer groups, privacy advocates and any other interested people will be invited to attend. The plan is to have several trusted identity projects to be launched in 2012, with the goal of having a robust trusted identity market in three to five years.
Identity theft affected about 8.1 million U.S. residents in 2010, according to Locke. The Department of Commerce estimates that a company with 500 employees spends $110,000 a year managing employee identity.