'Identity Ecosystem' To Replace Passwords, Draft Strategy Suggests

Imagine signing on to your computer, logging onto a secure Web site or handling a sensitive document electronically -- all without needing a user name or password.

The draft national strategy for building a new "identity ecosystem" that the Obama administration released June 25 would accomplish that, according to its developers. The ecosystem would base authentication on trusted digital identities instead.

The plan, named the National Strategy for Trusted Identities in Cyberspace, would lay a blueprint for an online environment in which online transactions for both the public and private sectors are more secure and trusted. The strategy identifies the federal government as "primary enabler, first adopter and key supporter" of the identity ecosystem.

In the language of the strategy, "In the envisioned identity ecosystem individuals, organizations, services and devices would be able to trust each other because authoritative sources establish and authenticate their digital identities." What that means in real terms is that trusted providers, such as a bank, would issue security credentials that would then be accepted by other online resources such as social networking sites and e-mail providers. Rather than using a user name and password, the person would have the crediential on a device that would authenticate his or her identity to the computer and, by extension, give access to services that accept the credential. The strategy includes references to smart cards, USB drives, mobile devices, software certificates and trusted computing modules as possible authentication technologies.

The strategy provides a hypothetical case of of a woman whose husband has recently been in the hospital. She is able to access his medical information using her cell phone because everyone involved in the information exchange uses a "trustmark" that signifies they adhere to the identity ecosystem framework.

The woman would have established her digital identity when she subscribed to a cell phone service plan, and the phone carrier would have verified her identity based on defined standards and issued her a credential on her cell phone that she could use within the ecosystem. The hospital and her husband's primary care provider, in turn, would have validated and maintained the appropriate attributes needed to release the information. And at the very beginning of the process, her husband would have provided her name and phone number to the hospital and signed the needed documents to authorize release of his information.

"No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to log into various online services," White House Cybersecurity Coordinator Howard Schmidt said in a post on the White House blog. "Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable and privacy-enhancing credential…from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions."

Schmidt's office has been leading the effort and will continue to do so. The Homeland Security Department is collecting public comments on the plan through July 19. Schmidt said the strategy will be finalized this fall.

Officials say participation in the identity ecosystem must be voluntary. The draft document breaks the ecosystem down into execution, governance and management layers and explains how individuals, companies and government would benefit from that online environment. For example, the document says individuals would get more security, efficiency, privacy and choice.

The document says goals for the strategy are to:

  • Develop a comprehensive identity ecosystem framework.
  • Put in place an interoperable identity infrastructure aligned with the identity ecosystem framework.
  • Bolster willingness to participate in that ecosystem.
  • Ensure the long-term success of the ecosystem.

The strategy also lays out high-level priority actions:

  • Designate a federal agency to lead the public/private sector efforts.
  • Develop a shared, comprehensive public/private sector omplementation plan.
  • Accelerate the expansion of federal services and policies that align with ecosystem.
  • Work among industry and government to put enhanced privacy protections in place.
  • Coordinate the development of risk models and interoperability standards.
  • Deal with liability worries of people and service providers.
  • Perform outreach and awareness activities.
  • Continue collaborating in international efforts.
  • Identify other ways to push for adoption of the identity ecosystem nationwide.

"There is a compelling need to address these problems as soon as is practical, making progress in the short term and planning for the long-term," the document concludes. "For the nation to realize the vision of this strategy and associated benefits, all stakeholders must come together in a collaborative partnership."

About the Author

Ben Bain is a reporter for 1105 Media.

comments powered by Disqus

Reader Comments:

Thu, Jul 1, 2010 Darryl J. Roberts Ventura, California

There are already two identity "ecosystems" in place that technically attempt to solve (some of) these problems, but they have not been universally adopted. The proposed ecosystem is optional. (There are very good reasons to not opt-in to it.) Since it is optional, it will not be universal. If it is not universal, it will not accomplish the goal.

Microsoft Live Id is an attempt to have one set of credentials (a username and password) that can be used on many different web sites without having to reveal the password to those web sites. It has some (albeit weak) proof of the identity of the person associated with an id because it is tied to an e-mail address that has to be proved. While it still uses a username and password for authentication, it allows a person to have just one username and password to authenticate to many different web sites and is an improvement over the proliferation of usernames and passwords that happen when each web site has their own authentication method and people are concerned about using the same password on different sites. Live Id has very low adoption. (I am not sure why.) What makes anyone think that an optional US federal "Identity Ecosystem" would be adopted any more. Would it be adopted outside the USA?

The Public Key Infrastructure (PKI) (as used for SSL web pages) has the ability to issue personal certificates. Any public key certificate authority (CA) could issue a person a personal certificate and web sites could use such a certificate issued by any CA that the web site chose to trust. Such a system avoids usernames and passwords, could be administered by many different CA (which are already in place), would not need to be administered by the US federal government, and the certificate authority is not involved in each and every authentication transaction (so they will not have the ability to track users--and their only ability to affect transactions is to revoke a certificate). Certificate Authorities could require strong proof of identity before issuing a class of personal certificate that indicates that such proof has been vetted. This system seems to be ideal and has been in place for years. However, the use of personal certificates is not only not universally accepted, it is used almost not at all for authentication on web sites. Again, I am not sure why it is not widely adopted.

Any identity ecosystem that attempts to solve the problems of people have a ever expanding list of usernames and passwords for authentication needs to solve what ever problems prevented the systems that are already in place from being widely accepted.

A US Federal identity system will never be universally accepted because of exactly the reasons stated by Conic and Tom Jones of New York. If it is not universally accepted, it will not be very useful.

Wed, Jun 30, 2010 Conic

"The strategy identifies the federal government as "primary enabler, first adopter and key supporter" of the identity ecosystem." Sure. We all know how trustworthy the Federal government is and how secure their systems are.

Wed, Jun 30, 2010 Tom Jones New York

What a great idea, but it should be named after its inventor, "George Orwell". Say you’re behind on your Taxes; the Feds could then "pull" your authentication credentials and hold it ransom until you pay up. Or say you owe child support; sorry you can't login into your MySpace account bud. And what if you're on the wrong side of the political mainstream and you attend a march to the Whitehouse. You may just lose your ability to access your email at work the next morning. Do you really want the Feds as the gatekeepers for your access to everything you value? Not in this lifetime.

Add Your Comment:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above