Another Stab at Federated Identity

Jeremy Grant, as a client, is impressed with the security precautions on his E-Trade account. When he logs in to make a transaction, he uses a token from E-Trade that displays a one-time, single-use password he'll use for that particular session.

But as the senior executive advisor for identity management with the National Institute of Standards and Technology, he is also somewhat disheartened. This type of highly secure method he uses to verify his identity at E-Trade's site is rarely available to protect him at other online destinations—ones where the threat of exposing log-ins and passwords to a hacker or through malware can be just as great.

"E-Trade will give you a one-time only password generator, but you can't use that anywhere outside of E-Trade," he says.

What he is working toward at NIST is the day when, after logging in to his E-Trade account, he can seamlessly navigate to other secure sites—his primary bank, his health insurer, various e-commerce sites—with a single, highly secure credential that can be used across multiple websites.

Since last summer, Grant and the NIST have been working behind the scenes on the National Strategy for Trusted Identities in Cyberspace, the Obama administration's effort to help create standards for a federated, or shared, ID credential ecosystem. The NSTIC is a joint effort between the government and the private sector that would allow private-sector providers that meet certain standards to sell identity authentication products—such as, but not limited to, one-time password generators—that could be accepted by multiple websites as a form of secure identity authentication.

The final NSTIC plan was was released last Friday, through the formal launch of a program office within the U.S. Department of Commerce to coordinate trusted identity activities.

Central to the NSTIC's goal is uniting financial services companies, health insurers, online retailers and public sector agencies behind the concept of shared identity frameworks. Banks in the past have been either cautious or disinterested about federated ID proposals, due to security concerns or the lack of any business motive. But the system Grant envisions could make it simpler for consumers to access their accounts while simultaneously making transactions more secure—which should grab the interest of any bank worried about rising levels of fraud.

Dan Schutzer, president of the Financial Services Technology Consortium, an affiliate of the Financial Services Roundtable, says that the industry is anxious to assist with the government's effort.

"We have some joint efforts with the government and we are generally supportive of the broad principles envisioned in NSTIC," he says. The FSTC is working with the government to develop "test beds" that will allow institutions to experiment with NSTIC-compliant authentication products.

Identity authentication experts say that banks could greatly benefit from the emergence of shared credentials. Don Thibeau, vice president of authentication vendor TrustID of Portland, Ore., says that once shared-ID rules are set via the NSTIC, it will become a de facto standard for secure transactions across the Web, and bank examiners will begin looking for higher-level authentication.

Grant is quick to point out that under NSTIC, the government is not the primary issuer of identity verification tools, and is taking a hands-off approach to the types of technology behind them. "The government does not want to be in the business of choosing technologies," he says. The government's primary role in this process, he says, is to create frameworks in which the creativity of the private sector can be unleashed. The goal is to see "a variety of providers out there, all with different products." And he says that in order to get there, "it is important that the government not over-proscribe."