As Government Technology reported in April, the White House is leading efforts for online authentication technology -- a new form of identification that some have called a driver's license for the Internet. But program leaders at the National Institute of Standards and Technology maintain that such a characterization is inaccurate, while privacy groups worry that the program’s scope could creep beyond the bounds of constitutionality if not carefully managed.
Today’s incarnation of the National Strategy for Trusted Identities in Cyberspace (NSTIC) endeavors to provide state residents with a common identity for acquiring services across state departments, piloting technology that could be used more broadly online. Michigan and Pennsylvania are now running federally-funded pilot programs to test early versions of the technology. An additional 10 organizations will be announced to receive pilot funding in August.
The program is also NIST’s effort to encourage the private sector to develop viable alternatives to a well-known but aging form of authentication: the password.
NIST did not initially respond to a request for comment when the initial story was being written, but after being published, NIST's Jeremy Grant contacted Government Technology. As leader of the program office for NSTIC, it’s Grant’s job to translate an abstract White House strategy document outlining the idea into an actual program. He says there’s a lot of misinformation about NSTIC, and he wanted to set the record straight.
Clarification: Optional Authentication vs Permit
The idea that seems to concern people most when they hear of a “driver’s license for the Internet” is the idea that going online would require a government-issued credential, but this is not what NSTIC is about, Grant said. “The idea that you would need a credential to go on the Internet is a colossally stupid idea that the government has no interest in driving,” he said.
NSTIC has kept privacy in mind from the beginning, and is even endorsed by many leading privacy and civil rights advocates through the Identity Ecosystem Steering Group, including the American Civil Liberties Union, the World Privacy Forum and even the Electronic Frontier Foundation’s Lee Tien, Grant said.
Tien is an outspoken critic of NSTIC, and he though he is on the Identity Ecosystem Steering Group, he explained that his membership should not be taken necessarily as an endorsement of the work NIST is doing.
“We are trying to be involved so it goes in a good direction rather than a bad direction,” he said. “EFF hates mandatory online ID. We hate national online ID generally. We believe that the U.S. Constitution protects the right to speak and associate anonymously. These are really important First Amendment rights we have been fighting for ever since we existed.”
Grant maintains the goal of the program is absolutely not to create a government-run online identity scheme, and that some bad press early in the program’s life has followed it around ever since. Grant explained that the initial White House document called for something very different than what is reported by the media.
“It called for the creation of what it dubbed an ‘identity ecosystem,’ which is essentially a marketplace of solutions where all of us should be able to choose, within a few years, from a variety of different identity solutions that we can use online in lieu of the password-based systems that dominate today," Grant said, "for experiences online that are more secure, more convenient and more privacy-enhancing than what we have today.”
Grant suggested his mother as the typical user of such a system in maybe 2017 -- when she’s on her iPad and logging into a variety of sites including her doctor’s office, her bank, perhaps a government site like mymedicare.gov, or Amazon. “If she has four different accounts with four different passwords for those things, that’s not particularly good from a security or convenience perspective," he said. "She ought to be able to have a solution that she can use every place she goes that only reveals at each transaction those attributes about her that are necessary.”
Such a solution would not be mandatory, Grant said – it would be an optional tool that people could use as an alternative to password verification that offers both convenience and protection against fraud and identity theft.
Replacing the Password
In 2004, Bill Gates predicted the death of the password, but the problem is not that passwords are dying, Grant said – it’s that they’re still alive.
“Seventy-six percent – that’s the number of data breaches in the private sector primarily that were caused by passwords back in 2012, according to Verizon’s Data Breach Investigations Report,” he said. “Everything we do online with authentication is tied to passwords. These numbers show that the password is killing us."
One way to view NSTIC is as an aspirational document that essentially says the world would be a better place if we weren’t tied to passwords, and we had an easy way to prove online who we were, control what information about ourselves is collected and aggregated, and play more of a role in how that information is shared, Grant added.
"Keeping in mind that half the population are still using things like ‘123456’ as a password, and they’re using it every site they go to," he said, "we can at least get people to a credential that has more security.”
Private Sector Must Lead the Change
The government does not want to lead the development of these technologies, but rather spur interest in the marketplace, Grant said, and the market is showing some signs of interest in moving away from passwords. Samsung’s Galaxy S5 has a fingerprint sensor that can be used to conduct payments via PayPal without the use of a password.
That fingerprint technology adheres to FIDO Alliance specifications, an online authentication advocacy group NIST is working with. Those are the kinds of changes in the market they are hoping to drive, Grant said.
Several analysts told Government Technology they agreed with Grant’s determination that private-sector leadership is needed if the public is ever to be rid of the password. Though there has been some progress in the market, Grant admitted that getting companies to participate in the program can sometimes be difficult.
“When I look at our steering group and it’s got members like PayPal, Salesforce, Microsoft, Oracle, LexisNexis, Etna, Niemen-Marcus working alongside privacy and civil liberties advocates and consumer advocates, I’m actually really excited by the amount of private-sector interest we’ve had in this,” he said. “But it’s a hard thing to do. There are some companies that say, ‘It’s a little too early stage for us. We’re going to wait until we see a little bit more happen before we jump in.’”
Non-password based online identity schemes are in use by several countries already, including e-ID, a banking ID used in Norway; i-PIN, South Korea’s online identity scheme required to use many online services; NemID, a Danish banking authentication system; and RealMe, an online identity scheme for New Zealand residents.
“I would call NSTIC a distinctly American strategy in terms of actually leveraging other solutions in the marketplace and not leveraging the government to be the solution,” Grant said. “There are too many entrepreneurs and innovators that are out there today coming up with really good ways to manage identity and authentication online, so the best thing we can do is focus on helping them grow the marketplace and help shape it so it is secure and it is privacy enhancing and, to a certain extent, get out of the way.”
This coming fall, the recipients of grants for new pilot projects around NTSIC will be announced, Grant said, and on June 17, NIST will host a quarterly meeting with new announcements on the direction of the program.
Although Grant maintains there’s nothing to worry about, skeptics like Lee Tien are keeping a close watch on the program. Privacy experts like Tien were given a central gatekeeper role early in the program’s development, but when it comes to safeguarding First Amendment rights, Tien said private enterprise is not to be trusted.