The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.
cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity ecosystem for users and organizations to conduct online transactions securely and privately such that
identities of all parties are trusted.
For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to
enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public
and private -- to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.), Schmidt blogged late last week.
National Strategy for Trusted Identities in Cyberspace [pdf] (NSTIC) draft paper is open for public comment and input until July 19.
The paper, a product
of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the public-private sector efforts
to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.
The Holy Grail of trusted online authentication -- a so-called high-assurance authentication vouching for the identity
of a banking customer conducting a transaction online, for example -- has yet to take off. No one has stepped up to the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work, says Gartner's
Avivah Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she adds. They may not want to assume the liability and pay you if they are wrong, she says.