ID management moves past passwords
By
Frank Konkel
As it becomes widely recognized that simple techniques aren't secure enough to prevent unauthorized access to government information, agencies are considering other options.
Slowly but surely, progress is being made on the creation of online identification and authentication systems that will meet the needs of federal agencies and commercial entities.
That progress is a result of the Obama administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC), which launched in April 2011. NSTIC’s recently formed Identity Ecosystem Steering Group, which is federally funded but led by the private sector, is seeking to set standards for identity management systems across multiple platforms.
After the group gathered for a second time in December 2012, Aaron Titus, chief privacy officer at Identity Finder and the group’s Management Council delegate for privacy and civil liberties, said its preliminary progress in developing standards and use cases is promising.
In the past year, NSTIC has developed a standard identity management scheme that consists of seven requirements. It recently conducted three pilot projects to test privacy-enhancing cryptography and two projects that use non-cryptographic privacy features; it plans to analyze the results in the coming year. “That’s where the ID world is going right now — toward identity ecosystems,” Titus said.
In such an ecosystem, a person who logs onto a social media site or online bank account would be authenticated by a trusted identity provider in accordance with NSTIC’s seven requirements, while the user’s privacy remains protected.
Roadblocks include the cost for providers and inconvenience for users, but Titus said the increase in the incidence and cost of identity theft — for individuals and businesses — could be a powerful motivator for speeding up the process.
“It is easier than ever to commit ID theft,” Titus said. And as users’ online identities become more interconnected, the ease with which a criminal can turn a hacked Facebook account into control over a user’s bank accounts is on the rise.
Accordingly, organizations are beginning to realize that basic credentials such as passwords aren’t secure enough anymore, said Ray Wizbowski, vice president of strategic marketing at Gemalto.
“If you take a step back and look at what is happening with NSTIC, there is a mass movement across even social networking sites away from basic credentials to secure credentials,” Wizbowski said. “That is the mega-trend for the next year.”
Tom Flynn, vice president of online authentication at Gemalto North America, said 2013 will likely see federal agencies move toward digital data control, with biometrics and cryptographic authentication likely methods that could drive federal policy.
“The process of vetting IDs is going to evolve,” Flynn said. “The way things are moving, you will see organizations ramping up funding for proper technology in doors, networks and mobile devices.”
Mobile technology will be less of an afterthought in ID management in 2013, he added, noting that “mobile as an authenticator [and] mobile as a derived credential holder” are conversations that are already happening.
The question that many would like to see answered in 2013 is whether federal agencies will lead or follow the commercial world in terms of ID management. How the federal government gets involved in privacy and security standards and requirements will be a key factor in what happens in the coming year in ID management.