Verizon, Criterion Systems, and other online identity and technology companies are teaming up to test whether consumers might trust a single, highly secure user-password combination for all of their online accounts.
A White House-launched initiative called the National Strategy for Trusted Identities in Cyberspace has awarded Verizon and its partners a federal grant with which to run pilot tests over the next two years to determine the feasibility of using “trust elevation” tactics to establish online credentials.
Trust elevation combines a user name and password with an additional piece of information—it could be a fingerprint or other biometric data, or something only the user would have, such as a code delivered to the user’s cell phone.
“It is clear that the traditional method of using non-validated usernames and passwords for secure online access is no match for determined cybercriminals,” Peter Tippett, vice president of Verizon Enterprise Solutions’ innovation incubator, said in a Dec. 13 statement.
“Through close collaboration with Criterion Systems,” Tippett continued, “our objective is to transform how usernames and passwords are used and online identities are validated to provide a safer, more trustworthy Internet.”
People’s passwords tend to be combinations of a family name and some numbers, David Coxe, co-founder of Criterion Systems, told eWEEK over a call. “What hackers do is go to the weak sites, break in and then go figure out the sites that really matter to you.”
While some consumers may be put off by the idea of offering hackers one nut to crack—or “one identity to rule them all,” to borrow a phrase from Peter Graham, a senior solutions architect with Verizon’s Enterprise Solutions team, who was also on the call—”open ID credentials” are already being used. It’s common, for example, to be able to sign into a site that’s not Facebook by using one’s Facebook user name and password.
“If you have a Gmail account, you already have an open ID,” said Coxe.
The first four pilots will launch in the first quarter of 2013 and the next four the year after. The eight will represent a variety of different user cases in different industries. First to launch will be a financial services firm, the Department of Homeland Security, eBay and General Electric.
Verizon Universal Identity Services, as the project is known, is cloud-based and expects to be able to help control the costs and the complexity associated with identity authentication. It’s also designed to meet, by the federal Office of Management and Budget’s criteria, Level 3 authentication requirements—a “high confidence in the asserted identity’s validity,” versus Level 4’s “very high confidence.”
Where it’s appropriate to just use a user name and password—where no important information or financial data is at stake—the system will allow that.
“But on something like a financial site, what we’re looking to do as part of this team is make it faster, more convenient and safer,” said Verizon’s Graham. “We’ve been [protecting identities] for a long time and we’re pretty good at it, and we believe there’s an opportunity to bring a higher level of security to the industry as a whole.”