Outlook 2013

ID management moves past passwords


Slowly but surely, progress is being made on the creation of online identification and authentication systems that will meet the needs of federal agencies and commercial entities.

That progress is a result of the Obama administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC), which launched in April 2011. NSTIC’s recently formed Identity Ecosystem Steering Group, which is federally funded but led by the private sector, is seeking to set standards for identity management systems across multiple platforms.

After the group gathered for a second time in December 2012, Aaron Titus, chief privacy officer at Identity Finder and the group’s Management Council delegate for privacy and civil liberties, said its preliminary progress in developing standards and use cases is promising.

Outlook 2013

Read the other stories in our Outlook 2013 feature package. Click here.

In the past year, NSTIC has developed a standard identity management scheme that consists of seven requirements. It recently conducted three pilot projects to test privacy-enhancing cryptography and two projects that use non-cryptographic privacy features; it plans to analyze the results in the coming year. “That’s where the ID world is going right now — toward identity ecosystems,” Titus said.

In such an ecosystem, a person who logs onto a social media site or online bank account would be authenticated by a trusted identity provider in accordance with NSTIC’s seven requirements, while the user’s privacy remains protected.

Roadblocks include the cost for providers and inconvenience for users, but Titus said the increase in the incidence and cost of identity theft — for individuals and businesses — could be a powerful motivator for speeding up the process.

“It is easier than ever to commit ID theft,” Titus said. And as users’ online identities become more interconnected, the ease with which a criminal can turn a hacked Facebook account into control over a user’s bank accounts is on the rise.

Accordingly, organizations are beginning to realize that basic credentials such as passwords aren’t secure enough anymore, said Ray Wizbowski, vice president of strategic marketing at Gemalto.

“If you take a step back and look at what is happening with NSTIC, there is a mass movement across even social networking sites away from basic credentials to secure credentials,” Wizbowski said. “That is the mega-trend for the next year.”

Tom Flynn, vice president of online authentication at Gemalto North America, said 2013 will likely see federal agencies move toward digital data control, with biometrics and cryptographic authentication likely methods that could drive federal policy.

“The process of vetting IDs is going to evolve,” Flynn said. “The way things are moving, you will see organizations ramping up funding for proper technology in doors, networks and mobile devices.”

Mobile technology will be less of an afterthought in ID management in 2013, he added, noting that “mobile as an authenticator [and] mobile as a derived credential holder” are conversations that are already happening.

The question that many would like to see answered in 2013 is whether federal agencies will lead or follow the commercial world in terms of ID management. How the federal government gets involved in privacy and security standards and requirements will be a key factor in what happens in the coming year in ID management.

About the Author

Frank Konkel is a former staff writer for FCW.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Wed, Jan 16, 2013

Biometrics is a no-go for mass-scale authentication. The technical challenges can be overcome, but not the fundamental and human one - revocation. Most certs (drivers license, credit card, PKI, etc.) come with an expiration date and often have a CRL. Once the digital format of your characteristic is compromised, how do you revoke it? Laser-surgery your eyes, carve your finger-prints up, start walking with a limp? In a very small community, you could wipe and reset... in the real, wide world clean-up and replacement is practically impossible.

Wed, Jan 16, 2013 Beltway Bill

The no-brainer solution is to make all drivers licenses / State IDs and passport (cards, not the paper ones) smartcards. The Govt already provides you ID.... it can just do the same in a digital, PKI format. Once cards are widespread, companies across the spectrum will start adding the server-side capability to use PKI. Its not perfect (ref Secrets & Lies (2004) by Bruce Schneier) but it far better than most folks using "123456"

Wed, Jan 16, 2013

Based on what I've seen in govt IT over the past 15 years, we'd better follow industry. They know what they're doing and have a lot to lose if they mess up. If the govt messes up and someone loses their identity, hey an individual can't sue the govt and win. We don't have the talent to do this right nor can we pay todo it right. Sounds like just another program and all it takes is throwing lots and lots of money at a contractor to make "it" happen. No problem.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group