Next month, the National Strategy for Trusted Identities in Cyberspace will celebrate its fourth “NSTICiversary” – marking four years since President Obama called for industry, advocates, agencies, academics, and individuals to collaborate to make online transactions more secure for businesses and consumers alike.
Over the past four years, we’ve been privileged to work with thousands of stakeholders to jumpstart an Identity Ecosystem where all Americans can choose from a variety of interoperable tools that they can use for more secure, convenient, privacy-enhancing experiences online.
With this anniversary, I’ll be leaving my role as head of the NSTIC National Program Office (NPO), off to find the next great adventure. I’m thrilled that Mike Garcia, the NPO’s Deputy Director, will be stepping into my role, and I’m excited to see what he and the rest of the NSTIC team accomplish in the next phase of this important program.
As I prepare to leave, I’ve been asked by a lot of colleagues “where do you think we are with NSTIC?”
My answer has been that the country is in a great spot. At its core, NSTIC called for the marketplace to lead in advancing the Identity Ecosystem, and the marketplace has responded.
- Today, many of the firms we all do business with online are offering new, standards-based two-factor authentication solutions, enabled by new specifications like OpenID Connect and the Fast Identity Online (FIDO) Alliance’s Universal Two-Factor (U2F) and Universal Authentication Framework (UAF) specifications – enabling consumers to have more secure, easy to use alternatives to passwords to protect themselves online.
- 15 NSTIC pilots have helped to catalyze the identity marketplace, impacting students, senior citizens, veterans, and consumers of all types. The pilots are collectively laying the groundwork for a vibrant new market; they are developing and deploying solutions, models, and frameworks for online identity that didn’t previously exist. And, they are informing the development of the Identity Ecosystem Framework being developed by the Identity Ecosystem Steering Group (IDESG).
- Connect.gov is launching with several agencies, ensuring that a veteran who wants to not only get access to digital services at the VA – but also access digital government applications at the State Department, GSA, and NIST – can use the same strong credential interoperably across all of those sites, without having to create a new account at each. Moreover, that credential, in most cases, won’t even be issued by the government – because connect.gov is built to allow people use a credential they already have, rather than get something new. Because of President Obama’s Executive Order this past October, other major US agencies will also soon be integrating their digital applications with connect.gov, enabling a wide new range of secure, privacy-enhancing services for citizens.
- The IDESG is now an independent, non-profit corporation, and is making great progress toward delivering version one of an Identity Ecosystem Framework later this year. This Framework will deliver a baseline set of standards and policies that enables individuals and organizations to start using a new generation of more secure, convenient, privacy-enhancing credentials that are interoperable across the internet.
To be clear, none of these efforts takes place in a vacuum. Rather, they each are integral pieces to solving the complex online identity puzzle. And because of the progress on each, four years into the effort, we are well on pace to meeting the interim benchmarks that were laid out in the Strategy itself. In honor of NSTIC’s fourth anniversary, we will be publishing a series of blogs on standards, our pilots, Connect.gov, and the IDESG—and will be looking at the progress that has been made, as well as laying out the work still to be done. And to be clear, there is still a lot to do, and many ways for people to still get involved. But the progress that this effort has made these last few years is notable. At a time when concerns about security and privacy continue to keep the Internet from reaching its full potential, the philosophy underpinning the NSTIC is more vital than ever.
As President Obama noted when he signed the Strategy:
“The simple fact is, we cannot know what companies have not been launched, what products or services have not been developed, or what innovations are held back by the inadequacy of tools, like secure passwords, long ago overwhelmed by the fantastic and unpredictable growth of the Internet.
What we do know is this: by making online transactions more trustworthy and enhancing consumers’ privacy, we will prevent costly crime; we will give businesses and consumers new confidence; and we will foster growth and innovation, online and across our economy – in some ways we can predict, and in others ways we can scarcely imagine.”