The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.
Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity ecosystem for users and organizations to conduct online transactions securely and
privately such that identities of all parties are trusted.
For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can
voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate
themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.), Schmidt blogged late last week.
The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the
public-private sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.
The Holy Grail of trusted online authentication -- a so-called high-assurance authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. No one has stepped up to
the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work, says Gartner's Avivah Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she
adds. They may not want to assume the liability and pay you if they are wrong, she says.
The Obama administration has said that it's moving ahead with a plan for broad adoption of Internet IDs despite concerns about identity centralization, and hopes to fund pilot projects next year.
There's no reliable way to verify identity online at the moment, Commerce Secretary Gary Locke sai: Passwords just won't cut it here.
document [pdf] released by the White House adds a few more details to the proposal, which still remains mostly vague.
It offers examples of what the White House views as an identity ecosystem, including obtaining a digital ID from an ISP that could be used to view your personal health information, or obtaining an ID linked to your cell phone that would
let you log into IRS.gov to view payments and file taxes. The idea is to have multiple identity providers that are part of the same system.
Administration officials plan to convene a series of workshops between June and September of this year that would bring together companies and advocacy groups and move closer to an actual specification for what's being called the National
Strategy for Trusted Identities in Cyberspace, or NSTIC.
During his speech, Locke lashed out critics of the proposal. A column in NetworkWorld.com, for instance, called NSTIC a great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness.