-
Called the National Strategy for Trusted Identities in Cyberspace, the policy, drafted last June, would create an "Identity Ecosystem" to enable consumers to obtain a single identity credential, described as a piece of software that could be stored on a smartphone, smart card or in a token.
April 17
Banks and other payment providers are expected to take a leading role in the White House's revised strategy for securing consumer identities online.
The guidelines, which the Obama administration announced Friday, would create, under the National Strategy on Trusted Identities in Cyberspace, a so-called identity ecosystem for "interoperable, secure and reliable credentials."
The strategy, which further develops prospective policies included in a draft proposal published last June, gives private industry the leading role, and government a supporting role, in securing online transactions. Consumers would have one identity, managed either through a token or other technology, on a smart card or on a smartphone.
Such ideas have been bandied about for years, and are generally referred to as "federated IDs."
Because the banking world has already developed similar identities for consumers, banks are expected to take a leading role in the NSTIC. The system has already gotten a favorable response from financial institutions, technology vendors and industry associations.
The "NSTIC is setting the ground rules of how companies will cooperate with each other in the ecosystem," said Michael Barrett, the chief information security officer for PayPal Inc. of San Jose, Calif. "It is setting up a standardized set of rules, technically and policywise."
In an email, Wells Fargo & Co. of San Francisco, said, "protecting our customers from fraud and identity theft is a top priority and crucial to helping our customers succeed financially. … Therefore, we will continue to support the administration in their efforts to enhance information security and identity protection through the NSTIC program."
Similarly, the American Bankers Association, which said it has worked closely with the Obama administration and the Department of Homeland Security on the strategy, said the NSTIC moves online security for consumers in the right direction.
"The administration recognizes the central role that the private sector, and the financial services industry, needs to play," said Doug Johnson, vice president of risk management policy for the ABA.
Johnson said one of the main things that the ABA has tried to promote via the strategy is the importance of consumers taking responsibility for their own online security.
The new strategy, in fact, emphasizes choice: Consumers must opt in; they would choose between a multitude of security vendors; and they would choose from among various forms of identity protection — including, but not limited to, secure tokens generated on key chain fobs, smart cards and smartphones.
As opposed to previous efforts at enabling identity management online — experts have pointed to Microsoft Corp.'s Passport as one approach that had limited success because it was specific to only one company — the NSTIC recognizes that there are many different systems and ID providers.
"We learned in late '90s and early 2000s that there had to be more than one ID provider, and an ecosystem," Barrett said.
The Smart Card Alliance of Princeton Junction, N.J., said the prominence given to smart cards in the strategy was important, because smart cards have effectively secured transactions in the health care, financial services and government sectors.
"Smart cards have proven to be the gold standard for ID credentialing and security," said Randy Vanderhoof, executive director of the alliance.
Still, industry analysts said a unifying method for securing online interactions and transactions would likely need to create varying levels of authentication, based on the kind of transaction involved. Financial transactions would need a stronger security criteria, while lower-impact transactions, such as connecting to a news website or social network, might require something less stringent.
One of the big roadblocks, said Julie Conroy McNelley, senior risk and fraud analyst at Aite Group LLC, is that banks and other financial institutions have invested a huge amount resources in their customers' security and they might be hesitant to share those credentials in a more general, federated environment.
"The federated ID has a great use for low-value, low-risk transactions," McNelley said. "But would financial institutions ever accept someone else's credentials for their website, or push theirs out? The answer is no."
Dave Jevans, the chairman and founder of IronKey Inc. of Sunnyvale, Calif., said the idea of government involvement was critical because the shift to a new standard will require a source of funding.
The "NSTIC moves things in the right direction," Jevans said. The "government can help drive consumer adoption, but the reality is there are millions of websites" that allow consumers to make payments, he said. "None of this is free."
Avivah Litan, a vice president and distinguished analyst at Gartner Inc., said a recent example of an interoperable ID is Facebook Connect, where users can connect their Facebook accounts to partner websites that also use trusted authentication methods. "This is already happening in low-risk applications," Litan said.
