NIST plays matchmaker on identity verification
The National Institute of Standards and Technology funds the Identity Ecosystem Steering Group, bringing together disparate interests to solve the password puzzle.
Deputy Director Michael Garcia (left) and Senior Standards and Technology Advisor Paul Grassi (right) of NIST's National Strategy for Trusted Identities in Cyberspace spoke at FCW's Creating Trusted, Identity-Driven Federal Enterprises event on April 29.
The U.S. government wants to play facilitator rather than savior in verifying online identities.
Michael Garcia, a National Institute of Standards and Technology official focused on the issue, said one of his agency’s ongoing projects is to foster a private marketplace for identity verification best practices.
Security isn’t the only issue at stake with identity verification, according to Garcia, who is deputy director of the National Strategy for Trusted Identities in Cyberspace (NSTIC). Liability, interoperability and privacy are all at play, and progress is needed in each area “to actually get to a functional, sustainable marketplace,” he said April 29 at an FCW-sponsored conference in Washington, D.C.
The theft of online credentials, and the hassle of managing a proliferating crop of passwords, is a burden on the consumer. Forty-six percent of consumers abandon a website rather than try to reset a password or answer a security question, said Paul Grassi, NSTIC’s senior standards and technology adviser, citing data from Verizon Enterprise Solutions.
Passwords are a “perfect combination of a really bad user experience as well as being terrible at security,” Garcia quipped.
There is broad interest in improving that user experience, not least from businesses wanting to offer more services online and federal officials worried about the security of their employees.
To harness that interest, NIST has funded the creation of the Identity Ecosystem Steering Group, which includes a wide array of stakeholders ranging from big banks such as Citigroup to privacy advocates such as the Electronic Frontier Foundation. The group is now a non-profit and the goal is to wean it off of the government dime, Garcia said, adding that NIST has issued grants rather than contracts to the firms with that aim in mind.
The group will by summer’s end issue a preliminary framework of business rules and interoperability standards for identity verification to which private firms can attest, Garcia predicted. The next version of the framework will get more specific, with provisions on accountability mechanisms, risk models and liability arrangements, he said.
“If nothing else, if we do this right, it removes this bilateral need for rooms full of lawyers to get together and spend months trying to figure out whether or not they can work together,” Garcia said.
When asked at the conference whether the government can be a trusted broker of a privacy-enhancing initiative, Garcia said NIST is a “scientific organization. I think that benefits us significantly in the way that we’re able to communicate and interact, and how we’re perceived in doing so.”
Grassi stressed that no personally identifiable information is stored as part of Connect.gov, a digital credential initiative in which NIST participates. Dan Waddell, director of government affairs for (ISC)2, an IT security nonprofit, said Grassi’s message was a good one for building trust with the private sector and the American public. “The more messaging they can do around that, I think the better, because I think the perception from the public is that if [the government gets] hacked, my information is going to be leaked,” he told FCW.