Earlier this summer the White House released a draft paper describing the importance of creating an identity "ecosystem" in which people and companies can conduct online transactions securely and privately, confident in the identities of all involved.
Howard Schmidt, cyber security coordinator and special assistant to the president, says: "No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers-both public and private-to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)."
Experts following the Administration's cyber security efforts say this is an admirable goal, but what Schmidt describes is a federated identity system-and that is hardly a new concept. The problem has always been implementation. Who exactly will offer these identity credentials and who will be liable should they fail? On these important issues the draft paper from National Strategy for Trusted Identities in Cyberspace (NSTIC) offered few details. Avivah Litan, vp and distinguished analyst at Gartner, says that "Howard Schmidt is a pretty progressive, thoughtful person who is likely to bring fresh ideas to the Administration." But as for the recent draft, she hoped for more. "It's a wishy-washy statement, but at least it's a statement. But I'd like to have seen some more pragmatic steps to get it underway."
Thomas J. Smedinghoff, a partner in the privacy and data security practice at Wildman, Harrold, Allen & Dixon in Chicago, and co-chair of the American Bar Association's Federated Identity Management Legal Task Force, says the draft offers little in the way of details. But, helpfully, it does identify the key barriers to a federated identity system and states broadly how the government might help eliminate them, such as proposing legislation addressing privacy and liability issues, being an early adopter, and helping to push the industry toward setting standards.
In any federated system banks have some important decisions to make, says Smedinghoff. They might leverage their identify know-how and offer this service themselves, or they could offload the responsibility to a third party. That second option is unlikely, says Litan, at least for big banks. "They want to own the customer," she says, and they see identity as part of "the ownership turf."