Passwords, Dr. Evil and a Solution in Tampa

1.2 billion.

It’s a number that inspires people to conjure up their best Dr. Evil impression, although it’s no laughing matter.  1.2 billion compromised passwords is a remarkably stunning and shocking number.

It’s also one that has inspired a wave of articles asking “what can we do about this?” Telling people to reset all their passwords isn’t a real answer – we just got through telling them to do the same thing in April after the Heartbleed bug was discovered, and most Americans don’t have the stomach or the time to keep doing this every few months.

In the short term, there aren’t any silver bullets: nobody likes the security or usability of passwords, but we’ve had them for a long time because the market has struggled to develop compelling alternatives. These struggles were a major driver behind the issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC).  Some good technologies exist, but higher costs and burdens associated with these technologies mean they are not feasible unless we can use them across multiple sites.

As identity virtuoso Tim Bray noted in an article in Time this past week:

“The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords. The solution to that is obvious: just have one that works for lots of different apps. That will require some cooperation and infrastructure. There are smart people working on this idea, but we’re not there yet.”

A great thing about my job at NIST is: I get to lead a team of some of the smart people working on this.

An even better thing about the job: we’ve been joined by more than 200 companies and organizations in the Identity Ecosystem Steering Group (IDESG) – a private organization established to help support the implementation of NSTIC by tackling the creation of an Identity Ecosystem Framework – essentially the “cooperation and infrastructure” that Bray talks about.

IDESG has done awesome work over these last two years, and is making progress each week on version 1.0 of this Identity Ecosystem Framework, with a release target set for early next year. The Framework will provide a set of standards and operating rules that organizations can use to reduce their vulnerability to hackers – enabling their customers to use a set of more secure, privacy-enhancing, easy-to-use, interoperable solutions in lieu of passwords.

While we need more work done in the IDESG, we also need more of you. Many hands make light work and many minds make great work.  The more participants we can attract to the effort, the faster we can make progress.  IDESG is set to meet later next month in Tampa, September 17-19, alongside the Global Identity Summit.  Registration is free.  We look forward to you joining us there. While face-to-face working sessions are more productive, if you simply can’t get to Tampa that week, we always offer options for online participation. Check out for more info.

Posted in Uncategorized | Leave a comment

Creating More Options to Improve Privacy and Security Online

It’s well established that diversity of thought and backgrounds strengthens organizations of all kinds and that diversity is a key component of a strong economy. At the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office (NPO), we believe diversity is also the key to establishing a vibrant marketplace of options to replace outdated passwords with reliably secure, privacy-enhancing and convenient ways to prove who you are online.

The Identity Ecosystem Steering Group (IDESG) was launched under the auspices of the NPO but is a privately led group laying the groundwork for that marketplace through policy and standards development. The group held its ninth plenary meeting this week at the National Institute of Standards and Technology in Gaithersburg, Md. The meeting brought together a broad coalition of individuals and representatives from industry, privacy and civil liberties advocacy groups, consumer advocates, government agencies, and more, focused on giving people choices when they conduct secure transactions online.

Instead of giving up lots of personal information every time you go online, you could choose who gets what information about you by allowing a trusted third-party to verify your online identity and then assert specific attributes on your behalf—only as needed for a transaction.

At the IDESG meeting, we heard from pilot participant, which is collaborating with vendors such as Under Armour to provide discounts to military families and first responders. is in the process of receiving higher level certification for its solution so that users can access government services and medical records.

Pilot recipient PRIVO and its partners are helping online sites that cater to children obtain verifiable parental consent—giving parents new ways to protect their kids online. The Georgia Tech Research Institute and TSCP are each working on frameworks and tools that provide supporting infrastructure to enable increased interoperability—allowing different systems to work together. Even among companies not involved in the IDESG and NSTIC, we are seeing improved identity and authentication options in the marketplace.

The steering group and pilots are providing safe environments for competitors and organizations with diverse policy goals to work together to innovate and solve some of the underlying challenges to online authentication. Together, they are working on identity solutions that follow the NSTIC principles of being privacy-enhancing and voluntary, secure and resilient, interoperable, and cost-effective and easy to use.

We understand that not everyone will be comfortable with the same identity providers. Some might prefer to trust their information to a well-established company or government agency; others may prefer a non-profit or advocacy group, or a combination of these organizations. Through the IDESG and a series of pilot grants, NSTIC is fostering a diverse marketplace that will give users options.

This week we were fortunate to have representatives from AARP, the American Civil Liberties Union, the NAACP and the National Federation of the Blind to highlight the diversity of the online community. We encourage organizations such as these to join IDESG – and to explore partnerships to create identity solutions that look out for the interests of their communities in this new marketplace.

The more organizations that engage with the IDESG, the better the organization can lay the foundation for a full spectrum of trusted online ID providers. Online, as in life, we’ll find strength through diversity.

Posted in Uncategorized | Leave a comment

Join Senior Administration Officials at Upcoming IDESG Plenary, June 17-19, Washington, D.C

Implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is in full stride. Our three complementary initiatives – partnering with the private-sector led Identity Ecosystem Steering Group (IDESG), launching the Federal Cloud Credential Exchange (FCCX), and catalyzing the marketplace through NSTIC pilots– are hitting major milestones in 2014, contributing significantly to the emerging Identity Ecosystem envisioned in the strategy. We hope you will join us outside our nation’s capital at the NIST campus in Gaithersburg, Maryland June 17-19 to learn more, network with those engaged in NSTIC initiatives, and join in the important ongoing work of the IDESG. Virtual participation will also be available. Agenda highlights include:

White House Update. Michael Daniel, White House Cybersecurity Coordinator and Special Assistant to the President, will provide perspectives on the NSTIC as a key Administration identity and privacy initiative, including the importance of NSTIC to the Administration’s efforts to improve cybersecurity.

Department of Commerce Update.  Bruce Andrews, the nominee for Deputy Secretary of Commerce (and currently its Chief of Staff) will discuss how NSTIC fits in with broader Commerce Department and Obama Administration initiatives around privacy, innovation, and economic growth.

Trusted Identities for Electronic Health Records.  A senior representative of the Office of the National Coordinator for Health Information Technology (ONC) will kick off a session focusing on joint ONC-NSTIC activities in leveraging trusted identities to secure the exchange of health information online.  Panelists will discuss how the IDESG Health Working Group and HIMSS Identity Task Force will collaborate to inform ONC work.

NSTIC Pilot Update.   2013 pilot awardees, TSCP, GTRI, and Privo are currently deploying their innovative solutions in the marketplace, going into production in multiple industry segments including financial services and retail.  Join this session to see how these innovative solutions are meeting the increasing need for more secure, privacy-enhancing identity solutions online.

IDESG plenary and committee meetings. The IDESG – now newly incorporated as an independent, 501(c)(3) not-for-profit corporation – will focus discussion on building an Identity Ecosystem Framework of standards, policies and business rules to support the implementation of the NSTIC.  IDESG is driving toward this with support and resources from a broad and diverse array of stakeholders in the public and private sectors. The current focus is on building requirements and processes needed to establish trust mark and certification programs by the end of 2014.  We hope you will join us for an exciting three days for the NSTIC and the IDESG. For more information and to register, visit

Posted in Uncategorized | Leave a comment

My heart bleeds for better identity solutions, my brain is excited by the progress

Last week marked three years since President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC). In the NSTIC, the President called for a new private-public sector partnership to create an Identity Ecosystem, where all consumers could choose from a variety of credentials that could be used in lieu of passwords to enable more secure, convenient and privacy-enhancing transactions everyplace they go online. 

Looking back over the last three years, one thing that stands out is how much easier it has become to make people understand the problems with passwords – the recent Heartbleed bug is only the latest in a seemingly endless series of incidents highlighting this issue – and the need to embrace multifactor authentication as a way to protect themselves against attacks. 

While it’s been great to see the marketplace respond with increased support for two factor authentication solutions – the reality is that consumers aren’t going to respond to an effort to replace the 25-30 passwords most of us manage today with 25-30 separate, stove piped two-factor solutions. We have to do better.

To truly improve security, we need to also improve convenience.  And that requires interoperability of strong credentials – at both a technical and a policy level – enabling consumers to use (should they so choose) the same strong credential at multiple sites.

To that end, it was great to see more than 170 people gather in person at Symantec’s headquarters in Mountain View, California earlier this month – joined by another 70 online – for the 8th plenary meeting of the Identity Ecosystem Steering Group (IDESG).  The IDESG was formed 20 months ago specifically to create a framework of standards, policies and business rules for the Identity Ecosystem that would enable this interoperability. 

What stood out about this most recent meeting was how much progress the IDESG is making – in both committees and in the full plenary – on advancing the Identity Ecosystem Framework (IEF): 

  • Incoming Plenary Chair Kim Little-Sutherland and Management Council Chair Peter Brown presented on plans to craft version 1 of the Identity Ecosystem Framework by the end of 2014.  This would create a baseline for entities to self-attest to compliance with the IEF and set the stage for development of a comprehensive compliance and conformance program in 2015.  Based on the draft presented, the IDESG committees will work this year to finalize the rules, policies, standards references, and other components needed to support the Identity Ecosystem envisioned in the NSTIC.
  • We saw the Security committee present version 1 of Identity Ecosystem functional elements that will help to guide other IDESG deliverables going forward.  Adam Madlin of host Symantec shared with the plenary guidelines on how IDESG committees can leverage these functional elements and a set of requirement derived from the NSTIC to develop IEF functional requirements specific to the committees’ domains, and components necessary for the framework.
  • We saw the first round of NSTIC pilots report on their progress in catalyzing a marketplace of trusted identity solutions: Criterion, AAMVA, Internet2 and Daon participated in a panel discussion exploring the challenges in balancing the four NSTIC guiding principles in pilot design and execution.  They also stressed the importance of articulating a clear value proposition for individuals in using trusted identities to conduct online transactions to ensure pilot success.
  • We heard from two new NSTIC pilots focused on state governments: Michigan and Pennsylvania detailed how their pilots will improve online delivery of state government services by leveraging trusted identity solutions.
  • And we saw a new NSTIC cross-pilot collaboration working group meet in person in Mountain View, focused on ways to capitalize on the lessons learned in the pilots and translate these into concrete recommendations to the IDESG.  Of note, Ryan Fox of the NSTIC pilot, in a presentation to the Standards Coordination Committee, described common challenges in identity proofing across multiple pilots, including the need in the market for metrics to better measure the performance of Knowledge-Based Authentication (KBA) solutions.  Such metrics could enable relying parties, such as financial services institutions, health care providers, and retailers to assess the comparative reliability of commercially available KBA solutions to conduct online identity verification, including user authentication.  The cross-pilot working group suggested that the IDESG contemplate proposing development of a new KBA performance standard in an appropriate Standards Development Organization – a potentially very useful standard to reference in the IEF.

The role of the pilots in supporting the IDESG – and of the IDESG in supporting the pilots – continues to expand with each plenary.  As both efforts advance, they are together helping to influence the marketplace, address barriers to marketplace adoption of better identity solutions, and create a framework to support a viable Identity Ecosystem.

Three years in there is still much work to be done – but there is also tremendous progress.  With the IDESG incorporating as a formal not-for-profit corporation, the formal launch of the Federal Cloud Credential Exchange (FCCX) later this spring and a third round of NSTIC pilots set to launch in September, 2014 looks to continue to be a very exciting year. 

We appreciate the efforts so many of you have made over the last three years – and look forward to working more with you over the months and years to come as we drive material improvements in the way we enable trusted identities in cyberspace. However much it pains us to see yet another failing of poor authentication systems, it only serves to validate our efforts to date and motivate us to work harder towards the NSTIC vision.

We look forward to seeing you all at the Ninth IDESG plenary, which we are pleased to host at NIST June 17-19.

Posted in Uncategorized | 2 Comments

REMINDER: 8th IDESG Plenary Meeting in Silicon Valley, April 1-3

We cordially invite you to join us at the 8th in-person plenary meeting of the Identity Ecosystem Steering Group (IDESG), hosted by Symantec at their headquarters in Mountain View, Calif., April 1 – April 3.  In-person and virtual participation is free and open to all stakeholders interested in building an environment that ensures transparency, confidence and privacy online in a way that is easy to use and understand for businesses, governments and individuals.

Register to attend here. Review the agenda for the April plenary meeting here.

Three things stood out during the  last plenary meeting in Atlanta:

  1. The National Strategy for Trusted Identities in Cyberspace (NSTIC) pilots are starting to drive the conversation.
  2. Trustmarks matter, and the work being done in some of the NSTIC pilots is helping to drive new concepts for trustmarks forward.
  3. The White House challenge to the IDESG: develop a basic trustmark scheme for the Identity Ecosystem and get backing from a handful of high profile early adopters.

The upcoming April IDESG plenary will further advance progress on these issues and more; stay tuned for more details on what to expect in Mountain View April 1-April 3.

Since the IDESG first launched in August 2012, it has willingly taken on the complex and messy challenges of crafting a framework for identity solutions that can replace passwords, allow individuals to prove online that they are who they claim to be, and enhance privacy. Since that first meeting (more about the very first IDESG meeting here), more than 200 organizations and individual members—your colleagues, your partners and perhaps even your competitors—have joined together to help move the Identity Ecosystem Framework forward.  We look forward to you joining us in April.

Posted in Uncategorized | 1 Comment

Putting the Fed in Federation (Part 3): A New Way to Buy Identity Services

Co-authored by: Dave McClure, Associate Administrator, Office of Citizen Services and Innovative Technologies, GSA; Jeremy Grant, Senior Executive Advisor, Identity Management, NIST; and Randy Miskanic, Vice President Secure Digital Solutions, USPS

As part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), President Obama directed Federal agencies to be early adopters of the Identity Ecosystem – which NSTIC defines as “an online environment where individuals and organizations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”  Specifically, NSTIC calls upon agencies to:

“… lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework.  By adopting Identity Ecosystem solutions as a service provider, the Federal government will raise individual’s expectations and thus drive individuals’ demand for interoperability in their transactions with the private sector and other levels of government.   As a subject, the Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions.”

In simple terms, this means that the Federal government should leverage the benefits of a privately-led Identity Ecosystem to offer better online services for citizens and businesses. To do this, we need:

1. A way for all agencies to leverage their purchasing power to buy standardized identity and authentication services that are interoperable across agencies.

2. A common infrastructure – the Federal Cloud Credential Exchange (FCCX) – that will allow agencies to integrate with these services with minimal effort.

3. A compelling business case that encourages the private sector to get their identity and authentication solutions approved for government use via the GSA Trust Framework Solutions program.

We’ve made good progress in establishing the common infrastructure – the US Postal Service (USPS) awarded a contract last summer to stand up the FCCX.  GSA also recently updated its Trust Framework Solutions program.  Both of these actions will make it easier for government and industry to partner on identity solutions that are standardized, interoperable, and offer value to all parties.

We still have work to do on establishing a way for agencies to buy standardized identity and authentication services.  While FCCX is the infrastructure to enable shared authentication services, we still have a hole in terms of standardizing credentials and how we buy them.  As a result, some agencies that have been moving forward with non-PKI solutions at levels of assurance (LOA) 2 and 3 have been doing so with solutions that do not interoperate with each other.  This is a problem for all of us as taxpayers and as citizens – we should not be asked to obtain and manage multiple credentials to do business with the government online.  As former White House Cybersecurity Coordinator Howard Schmidt noted in a blog post:

“…a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has…Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts.”

A government-wide acquisition strategy is vital to realizing this vision – because agencies can only benefit if they are able to leverage a wide pool of interoperable credentials, and because our private sector partners need a clear and consistent understanding of how government will pay for their services.

GSA, NIST and USPS are working on an integrated strategy that creates an approach for government to purchase standardized identity solutions using a government-wide contract.

The approach we will be pursuing is one that is fundamentally different from the way that the government has procured these kinds of services in the past.  Rather than pay for credentials we intend to pay for authentication and attribute validation services.  This is fundamentally different for two reasons:

1. It provides industry flexibility in pricing its service to include elements like identity proofing and token issuance.

2. It allows industry to be compensated for the authentication of – and attribute exchange involving – credentials that were not originally issued for government purposes.  So long as the credentials are approved for government use, credentials issued originally for commercial purposes could also be the source of additional revenues the first time the credential is used at a government site.

This model shifts the government’s acquisition focus to what it needs:  services that provide authentication and attributes. Credentials are of course a necessary element of these services – but that fact alone does not mean the government should embrace a model where it pays for citizen credential issuance. Our strategy enables the NSTIC vision of a vibrant Identity Ecosystem where the same credentials can be used across the public and private sector.

While this long-term strategy is being fleshed out, the GSA’s Federal Acquisition Service (FAS) earlier this month released a Request for Proposals (RFP) under its Alliant vehicle seeking a limited quantity of authentication services to support the first phase of the FCCX pilot.

This RFP is intended solely to support authentications services at LOA 2 and 3 for the FCCX pilot.  It does not represent the government’s long term acquisition strategy for these services.  The next logical step – which we will pursue over the next year – is an acquisition vehicle that can support millions of authentication transactions for government services each year, and that will create a path for newly certified solutions to gain a spot on this acquisition vehicle.  As we seek to benefit from the broadest array of choices in the market, we need to let the marketplace know “if you are certified, you’ll be eligible to sell to us.”

Our long term goal is to have a vibrant ecosystem where citizens can choose to use a credential they already have to access most government sites and services, as well as creating a compelling value proposition for identity providers to meet government requirements and provide identity services.

Our offices are working through this strategy now and intend to develop it further over the next few months through collaboration both with government and industry. There is more to come, so stay tuned!

Posted in Uncategorized | Leave a comment

Join Us NEXT WEEK at RSA to Discuss How Privacy Enhancing Technologies Can Secure Identity Online

Join the National Program Office’s Senior Privacy Policy Advisor Naomi Lefkovitz at the RSA Conference in San Francisco on Wednesday, February 26, from 8AM-9AM PST to discuss enhanced privacy as a critical element of building trusted interaction online, the use of privacy-enhancing technology (PET) solutions, and challenges of commercial viability for PETs in identity systems.

Right click to save .ics file. Once downloaded, double click the file to open as an Outlook calendar item.

For more on the session: Privacy Enhancing Technologies: Pipe Dream or Unfulfilled Promise? Wednesday, February 26, 2014 | 8:00 AM – 9:00 AM | West | Room: 2017

Posted in Uncategorized | Leave a comment

NSTIC.GOV Gets a Makeover

After three years of work on multiple fronts implementing the NSTIC, we are pleased to announce a new look and feel for our website,  With three rounds of pilot funding, facilitating the launch and operations of the Identity Ecosystem Steering Group (IDESG), and getting the federal government in the game as an early adopter of the Identity Ecosystem with the Federal Cloud Credential Exchange (FCCX), we set out to refresh the existing information and provide readers with easy entry points to important information that reflects where we are today and charts our course ahead.   Here are a few highlights:

CONTENT: We have updated content throughout, in particular by adding a new landing page on the Federal Cloud Credential Exchange (FCCX).  The FCCX is an initiative led by the United States Post Office, the General Services Administration – with support from  the NSTIC NPO – that leverages trusted identities to improve security and enhance the privacy of citizen interaction with the federal government.  We’ve also added new content on the core NSTIC guiding principles.

NEW FEATURES:  We added new features such as individual pages for each of the NSTIC pilot projects.  This will enable you to follow the progress of each pilot and the collective effort to “catalyze the marketplace” as the pilots tackle barriers to the Identity Ecosystem and seed the marketplace with “NSTIC-aligned” solutions to enhance privacy, security and convenience in online transactions.

STREAMLINED NAVIGATION:  We’ve streamlined the structure of the website by adding features such as bottom navigation and sortable databases for news stories, resources, and government announcements, providing easier and faster access to NSTIC information.

With twelve NSTIC pilots (and more to come!), this year’s FCCX launch, and the IDESG progressing toward an Identity Ecosystem Framework, the NPO plans to update the page frequently to keep you informed on progress within the government and in the private sectors to help individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation.

So go ahead, check it out, and check it often!


Posted in Uncategorized | 1 Comment

Atlanta IDESG Plenary Recap: Pilots, Progress, and the Value of Trustmarks

In just 18 months, the IDESG has come a long way from its chaotic first meeting in Chicago.  The phrase of the week for over 200 total in-person and virtual attendees this month at the Identity Ecosystem Steering Group (IDESG) plenary in Atlanta: keep your foot on the gas. With this in mind, attendees set their sights on a challenge laid down by and a senior White House cyber security official in the opening keynote: develop a trustmark scheme by the end of 2014, backed by a handful of high profile early adopters.

Responding to this challenge, the newest round of NSTIC pilots made their presence known, work on the Identity Ecosystem Framework moved forward, and the IDESG has taken a major step forward toward becoming self-sustaining, with members voting to incorporate IDESG as a not-for-profit corporation, governed by a Board of Directors.  It has established a handful of core committees that are making progress each week on components of the Identity Ecosystem Framework.  And it is starting to integrate ideas and results from NSTIC pilots.

Looking back at the plenary, three things stood out:

NSTIC pilots are starting to drive the conversation.

The IDESG and the NSTIC pilots were always envisioned as complementary efforts– with pilot outcomes and deliverables directly feeding work on the Identity Ecosystem Framework in the IDESG, and with IDESG deliverables being used to assist the pilots.  We’d already seen good examples of the latter – with each of the NSTIC pilots using the IDESG Privacy Committee’s Privacy Evaluation Methodology (PEM) to assess and refine their own adherence to the NSTIC’s privacy guiding principle– but there were fewer examples of the pilots driving IDESG activities.

That seemed to change at this most recent plenary; the work the pilots are doing is now directly informing and influencing work in IDESG committees.  This should not be a surprise – 12 NSTIC pilots are now active, and many of them are directly tackling some of the hairy policy issues that identified in committees.  In some cases, the pilots are moving forward with new and innovative approaches that the committees have not contemplated – and as they share their work and lessons learned, it is helping to drive the committee work in new directions.

Trustmarks matter

As pilots have proceeded, an issue that has come up time and time again with interested relying parties is branding.  Most federated identity solutions today require RP’s to display the logos of the different identity providers that they accept– but many companies have bristled at the notion of displaying the logos of other firms on their homepage.  We’ve seen this in two NSTIC pilots, where the “identity guys” in major firms that wanted to participate could not persuade their marketing and branding teams to allow it – the teams would not stand for other logos on their website.

Yet these same sites do have other logos that are not company names but rather trustmarks – think VISA or BBBOnline – that tell customers how payment cards will be handled or whether a firm complies with the Better Business Bureau’s code of business practices.  It’s not a new logo that is an issue, it’s that logos tied to specific brands may be off-putting.

A company-neutral trustmark for online identity that is recognized by consumers and businesses may go a long way toward enabling consumers and businesses to more readily reap the benefits of the identity ecosystem. NSTIC itself discussed the importance of this trustmark – but progress has been elusive.

To that end, the work being done in some of the NSTIC pilots is helping to drive new concepts for trustmarks forward.  GTRI and Internet2 teamed up on a “Future of Trust” session on Day 2 of the plenary that discussed some new and novel approaches for applying the trustmark concept to the identity ecosystem.


The White House challenge

It’s not just the pilots that are driving the trustmark conversation.  On the first day, the IDESG heard a keynote from Andy Ozment, Senior Director for Cybersecurity on National Security Staff at the White House, where Andy reinforced the importance of NSTIC not only to the nation’s efforts to improve cybersecurity, but also as a keystone to efforts to ensure the openness, freedom and interoperability of the Internet.

When asked by an audience member what single task he wanted the IDESG to tackle in 2014, Andy had a simple answer: he challenged the IDESG to develop a basic trustmark scheme for the Identity Ecosystem and get backing from a handful of high profile early adopters.

This may not be a simple task, but we believe it is achievable.  The IDESG Trust Framework and Trustmark (TFTM) committee has been hard at work over the last year, and its efforts – combined with some of the new thinking emerging from the pilots – offer plenty of elements that can move this task forward.  The challenge over the next few months is to reconcile these different approaches on how a trustmark scheme can be created, and put a roadmap in place that will allow it to advance.

To that end, the next IDESG plenary is set for April 1-3 in Silicon Valley; details are at  We expect a great discussion and continued progress – both in the weeks leading up to it, as well as at the event – on how to drive a trustmark for the Identity Ecosystem Framework forward.

Posted in Uncategorized | Leave a comment

Building the Future of Identity Privacy

On Data Privacy Day, the NSTIC National Program Office is taking some time to reflect on our own efforts to improve privacy online. Fulfilling the promise of enhanced privacy is a critical element of building trusted interaction online. The first of the Strategy’s guiding principles, finding new solutions that are privacy-enhancing and voluntary has been a key driver of pilot project selection and the NPO’s work to drive innovative approaches to online identity. One of the primary methods for improving privacy we have been encouraging is the use of privacy-enhancing technologies (PETs) – a topic I will be discussing at the upcoming RSA Conference, in a P2P session – Privacy-enhancing Technologies: Pipe Dream or Unfulfilled Promise?

The NSTIC envisions an “Identity Ecosystem” that curbs unneeded sharing of personal data and helps limit comprehensive tracking of people through their identity transactions, while still providing for a robust marketplace of trustworthy and secure digital credentials. Trusted identities can provide a variety of benefits: enhanced security, improved privacy, new types of transactions, reduced costs, easier to use credentials, and better customer service. Minimizing the data transmitted in transactions not only protects consumers’ privacy, it can enhance businesses’ ability to protect their reputation. However, there are high-value services that require effectively validating that customers are who they claim to be – such as in the financial and health care sectors as they move into the mobile economy.

Certain types of PETs employ well-researched methods of cryptography and can provide strong assurances about users’ credentials without the need for detailed exchanges of personal information. Imagine a customer providing a valid driver’s license to prove her age without actually revealing her full birth date or other unnecessary information. Moreover, privacy-enhancing cryptography can prevent the credential issuer from tracking service providers while still providing valid identification. In other words, service providers can realize the benefits of outsourcing identity management without also enabling credential issuers to build profiles of their customers to sell to competitors.

While PETs that can provide the fundamental cryptographic support for anonymous transactions online have existed for some time, private sector adoption of these technologies has been almost non-existent. Despite growing demand for enhanced privacy online, online service providers have failed to provide solutions that would give users the ability to authenticate for privilege escalation with, for example, “zero-knowledge.” As a result, users often must disclose a large amount of personal information unrelated to purpose of their request in order to realize their desired transactional outcome. The use and storage of this personal information creates a fundamental and unnecessary barrier to building trusted transactions online.

The Federal Cloud Credential Exchange (FCCX), a cloud-based identity federation pilot being implemented by the United States Post Office, the General Administration Services and the NPO, is a developing example of how we can manage the privacy of identity interactions between citizens and the Federal government. Currently, the FCCX supports “unlinkable” interactions through the system – meaning that a broker in the middle prevents credential providers from knowing at which agencies citizens are using their credentials and prevents agencies from knowing which credential provider citizens are using. But more work must be done, and the FCCX team is currently investigating PETs to support truly unobservable transactions, so citizens can access government services without fear of outside tracking or exposure of their identities.

So why aren’t PETs more widespread? I’ll be exploring how to achieve commercial viability for PETs in identity systems at the upcoming RSA Conference in San Francisco. If you’re in the Bay Area for the conference, please grab a seat at my session, in the Peer2Peer track on February 26th. It’s time to fulfill the promise of privacy-enhancing technologies.

Posted in Uncategorized | Leave a comment