The Password is Dead, Long Live the Password
The U.S. Chamber of Commerce has announced a new vision for providing security online with the National Strategy for Trusted Identities in Cyberspace (NSTIC). Calling it a voluntary identity ecosystem, the NSTIC aims to make the web safer, easier to use, and open to a wider range of online activities.
First and foremost, the Government wants you to know that there is no national ID program in the works. Furthermore, the NSTIC envisions a completely voluntary environment where users can opt for higher-level security when and if they want it. Lastly, while the government will be supporting these efforts and providing endorsement for NSTIC projects, the nitty-gritty will likely be handled by private companies.
It works like this: instead of having a plethora of passwords to worry about, or having one password reused across multiple websites, users would receive credentials from companies that prove who their identity. Using those credentials, users could log in to other websites, providing only the information necessary to those websites.
How exactly the credential system will work is still up in the air, and is presumably the portion of the plan that will be handled by industry. Ars Technica suggests that physical devices like cell phones, smart cards, or USB tokens could play that role. They cite the DoD’s adoption of smartcards, and the 46% reduction in network intrusions.
On their website, the NSTIC offers this example of their ecosystem:
For example, student Jane Smith could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. If she uses one of these credentials to log into her Web email, she could use only her pseudonym, “Jane573.” If however she chose to use the credential to log-in to her bank she could prove that she is truly Jane Smith. People and institutions could have more trust online because all participating service providers will have agreed to consistent standards for identification, authentication, security, and privacy.
This sounds very, very similar to White House announcements some years ago promoting the use of the OpenID standard. Those efforts seem to have been stalled, likely due to widespread confusion about OpenID and the difficulty in obtaining OpenID credentials. It does seem like the NSTIC differs by placing emphasis on obtaining verification credentials from private companies like Google or cellphone providers.
A big part of the NSTIC is not only to provide the infrastructure for a safer internet, but also to open up online commerce. People already make purchases online, but transactions like signing a mortgage or other more complex financial interactions are still carried out in person because of a need for security. The NSTIC could bring some of those activities online, perhaps opening up new opportunities for financial growth. Better security could also pave the way for digital medical records, which are encouraged under the recent health care overhaul legislation.
The NSTIC has lofty plans, but it is going to be a long while before users see any changes in their online experience. Public meetings on the plan will begin in June, and funded pilot projects should be rolled out in 2012. It will probably be a few years after that before the plan becomes truly public and accessible.