Register now: Applying measurement science in the Identity Ecosystem workshop

Registration is now officially open for the ‘Advanced Identity Workshop: Applying Measurement Science in the Identity Ecosystem’ coming up on January 12-13, 2016, at the NIST campus in Gaithersburg, Maryland.

This two-day advanced identity workshop will bring together a diverse community of technology vendors, cybersecurity researchers, policy makers, and other experts from the public and commercial sectors to tackle three tough issues in developing measurement science in identity and access management: strength of identity proofing, both remote and in-person; strength of authentication with a focus on biometrics; and attribute confidence to assist in effective decision-making.

This is not a workshop for solely listening and learning. To make meaningful progress toward measuring the performance of solutions, we need participants to contribute their expertise.

  • For identity proofing and authentication: What approaches have worked in your organization? What data would your organization look at to quantitatively assess strength in a consistent and repeatable way? What would a provider have to communicate to your organization for you to trust their solution? How is comparability assessed among disparate technologies and processes?
  • For attribute confidence: What attribute metadata really matters to your organization’s decision-making? What implementation options should be evaluated to reduce the impact on entities that assert or consume attributes?

“One of the ultimate goals of the NSTIC is to achieve an environment in which we are able to deliver solutions at least as fast as our adversaries can break them,” said Mike Garcia, acting director of the NPO. “This workshop is a critical step in advancing how government—and we hope the market writ large—measures and compares authentication and authorization solutions based on how they perform, enabling more informed risk-based decisions. Getting this right matters and we couldn’t be more excited to launch this effort.”

This technical workshop will include a mix of moderated panels and facilitated working sessions that will determine meaningful and actionable next steps that NIST and its partners will undertake in establishing measurement science in identity management. In the coming weeks we will release three whitepapers—one for each area of focus at the workshop—on our website. We encourage attendees to read them and arrive with their ideas to move our community forward.

Confirmed speakers and panelists at this time include: Darran Rolls (SailPoint), Gerry Gebel (Axiomatics), Leif Johannson (SUNET/Kantara), Vance Bjorn (Digital Persona/Cross Match), Stephanie Schuckers (Clarkson/FIDO Alliance), Cathy Tilton (CSC), David Kelts (MorphoTrust USA), Dario Berini (NextgenID), Kim Little (LexisNexis), Brett McDowell (FIDO Alliance), Ian Glazer (SalesForce), and LaChelle LeVan (GSA).

@NSTICnpo on Twitter

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , | Leave a comment

Launching iGov: secure and privacy-enhancing identity authentication and authorization profiles developed on an international scale

International collaboration among the public and private sectors is now expanding with the announcement of a new OpenID Foundation (OIDF) working group called the International Government Assurance Profile (iGov)—launching on October 26th at the OIDF Workshop in Mountain View, California. The iGov profile working group will develop an interoperable profile of OpenID Connect (OIDC) to allow users to authenticate and share consented attribute information in a consistent and user-centric manner.

With over 10 international governments and multiple private sector organizations already participating, iGov will set the foundation for secure and privacy-enhancing authentication and authorization transactions based on common requirements from the global community. The primary objectives of developing this profile in an open forum are two-fold:

  1. Harness the collective experience and lessons learned of multiple international governments to develop a security and privacy profile that can be utilized across a range of public sector online offerings, and
  2. Obtain buy-in from private sector partners and product vendors that deliver technologies for digital identity services.

Through this collective effort, product vendors can enhance their solutions once to be internationally conformant—rather than clogging their product pipeline with multiple costly enhancements focused on satisfying one government at a time. This, in turn, reduces integration time to enable trusted identity transactions, allowing governments to accelerate the delivery of citizen-centric services. As more and more public sector services incorporate the iGov profile into their identity infrastructures, global interoperability will shift from something to which we all aspire to something that is built into the underlying fabric of identity services.

The scope of the working group is to:

  • Develop a set of internationally-applicable use cases and requirements to expand the current portfolio,
  • Define a set of profiles for OAuth 2.0 and OIDC,
  • Promote progressive harmonization with existing specifications and protocols as appropriate, and
  • Support deployment architectures that are common in today’s marketplace.

To provide iterative testing and feedback along the way, Connect.Gov, the U.S. government’s shared service for privacy-enhancing authentication and attribute delivery, will pilot the iGov profile with early-adopter agencies. When the iGov profile is complete, it will be road-tested and ready to go!

Objective 4.2 of the NSTIC calls for international integration of the Identity Ecosystem, and the number of governments and private sector partners actively participating in this effort is a terrific indication of the flourishing partnership of diverse stakeholders; we are one step closer to a rich ecosystem of innovative products for identity services!

We already have a great group of collaborators, but we’re always looking for more active participation to make this working group as successful as possible—so please visit the newly launched iGov website to find out more about how to join.

For more information, feel free to read the iGov charter and subscribe to the mailing list. You can also follow the NSTIC NPO on Twitter to get additional updates in the future.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , | Leave a comment

Breaking news: the IDEFv1 is now available to the public!

In the NSTIC, the president called for an “overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.”

Today, I’m proud to announce that the privately-led Identity Ecosystem Steering Group (IDESG) has delivered. Thanks to the incredible dedication of the IDESG’s volunteer membership, version 1 of the Identity Ecosystem Framework (IDEF) is now a final public document. This framework raises the bar for online transactions and substantially advances the Identity Ecosystem.

The IDEF provides a foundation for the Identity Ecosystem, which is necessary to continually improve online commerce, the efficiency of digital services, and online interactions. The IDEFv1 will also serve as the foundation for the Self-Assessment Listing Service (SALS)—poised to be operational in January—that will enable businesses and organizations to assess and report on the status of their conformance to the minimum requirements for alignment with the NSTIC Guiding Principles that identity solutions will be: privacy-enhancing and voluntary, secure and resilient, interoperable, and cost effective and easy to use.

Service providers that self-attest will have the opportunity to differentiate their services by demonstrating the enhanced protections and practices they have put in place to safeguard consumers and business partners. Individuals and organizations can then more easily identify trust-worthy service providers and solutions—an essential step in building a vibrant and flourishing Identity Ecosystem. The complete IDEFv1 package released today includes:

  • Baseline requirements: the set of minimum requirements for identity ecosystem participants
  • Supplemental guidance: additional information to further clarify the requirements for all audiences
  • Functional model: a breakdown of the functions in an identity interaction
  • Scoping statement: setting the path for the IDEFv2 and the IDESG program listing and certification scheme

Since day one I’ve stood as witness to the remarkable effort of the IDESG’s volunteers. Now, I’m excited to see the impact of the IDEFv1 on the marketplace for identity solutions and the impact of more trustworthy solutions for consumers. In the coming months the IDESG will finalize the SALS to ensure a simple and streamlined ability for organizations to self-attest to the IDEFv1. I look forward to more progress in the future and thank everyone for their continued dedication. Congratulations!

To see the released IDEFv1 package, please visit and follow the NSTIC NPO on Twitter for updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , | Leave a comment

A major NSTIC milestone: IDEFv1 set for October 20th public release

When the Identity Ecosystem Steering Group (IDESG) plenary convened last week in Tampa, Florida, attendees meant business. By Friday afternoon, committees had finalized the baseline requirements and supplemental guidance for v1 of the Identity Ecosystem Framework (IDEF). Now the plenary stands in recess with the IDESG on track for a major milestone: completion of the IDEFv1, set for public release on October 20th!

The IDEF, chartered for establishment and governance by the IDESG, will stand as the policy foundation for the Identity Ecosystem (IE). After much effort by the IDESG working committees – including collaboration with the NSTIC pilots to level-set with commercial entities– the IDESG has produced a set of baseline requirements that will enable self-attesting entities to assess and report on their alignment with the NSTIC Guiding Principles. This represents a major step forward in influencing the marketplace toward the NSTIC vision. The IDEFv1 will be released for a final reading period on October 7th, and the plenary will reconvene virtually on October 15th at 2:00 PM ET to approve the package. During the Plenary meeting, Plenary Chair Kim Sutherland recognized the substantial effort and commitment of the IDESG committees – and in particular the individual committee chairs – for all of their work to produce the IDEFv1 as the IDESG’s major collaborative work product and contribution to the IE.

Beyond the committee work of finalizing the requirements, plenary attendees:

  • Advanced the Self-Assessment Listing Service (SALS) as led by the Trust Framework and Trustmark (TFTM) Committee. Set to begin operations by the end of the year, the SALS will enable IE participants to assess and assert conformance with the IDEF requirements, publicly announcing their commitment—and operational adherence—to the Baseline Requirements for privacy, interoperability, security, and usability.
  • Received updates on the NSTIC pilot progress from recipients and their partners. Pilot recipients brought along relying parties that gave the bigger picture on the role of these projects in the market. Plenary attendees heard from GSMA, joined by representatives from Payfone and Verizon; GTRI, joined by a representative from the State of Alabama; MorphoTrust USA; and the University Corporation for Advanced Internet Development (UCAID or Internet2).
  • Had an intro to our three new additions to the NSTIC pilots family, a preview of the NSTIC NPO’s future activities, and were the first to hear about the NPO’s upcoming workshop.

Simply put, part one of the currently-recessed plenary went off as planned. It was productive and all could feel the energy of IDEFv1 nearing release. Now, the IDESG looks to push the IDEFv1 across the finish line at the October 15th virtual plenary. Stay tuned for more exciting IDEF updates in the coming weeks—the Identity Ecosystem has never felt so close!

…as always, remember to follow us on Twitter!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Save the Date: NSTIC identity proofing, authentication, and attributes workshop – January 2016

We’re thrilled to announce that on January 12-13, 2016, the NSTIC National Program Office, with our colleagues here in NIST’s Information Technology Lab, will hold a technical workshop called ‘Applying Measurement Science in the Identity Ecosystem.’ Participants will collaborate about ways to measure and compare the performance of key solutions in the Identity Ecosystem, specifically:

  • Strength of identity proofing, both remote and in-person;
  • Strength of authentication with a focus on biometrics; and
  • Attribute confidence to assist in effective authorization decision making.

This two-day event at the NIST campus in Gaithersburg, Maryland, will bring together leading security practitioners, solution providers, experts, and policy makers from across sectors. With the growth of available solutions in the market, the NPO believes it’s now time to improve the science behind identity assurance—and that the agencies and industry will benefit from better tools to measure the performance of solutions.

NIST is shifting its focus to these issues at a vital time. Last October, President Obama’s Executive Order 13681 called for multi-factor authentication and effective identity proofing processes in federal agencies’ digital services that involve personal data. Emerging technologies, like those in mobile and biometrics, are poised to be game-changers in the way we think about identity and access management. Based on these innovations, the explosion of tools and techniques in the market, and the need to remain flexible in guidelines and standards, we believe metrics are a critical element of well-informed risk decisions. By aligning risk tolerance with a measure of strength in proofing and authentication– or attribute confidence– agencies can determine exactly what market solutions best can meet their needs.

In the coming months we will release a series of brief white papers addressing each of the primary focus areas for the workshop. With the white papers as a starting point, stakeholders will have an opportunity to provide critical feedback at this workshop and guide our next steps—which we envision will be critical inputs to federal guidance on each of these topics as well as international standards. To make these efforts meaningful we need engagement from a diverse array of stakeholders on how measurement science and risk practices can be aligned to help mitigate the cyber threats we all face today. Bring your solutions and your insight to the table and help us improve online identity!

Stay tuned for registration information on our new NSTIC events page and for the release of our white papers.

…and remember to follow us on Twitter!

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , | 2 Comments

Introducing the 3 newest members of the NSTIC pilots family!

The NSTIC pilots family is growing today with the announcement of three new pilot projects receiving NIST grants!

These projects will join the ranks of the 15 active NSTIC pilots and alumni that know all about catalyzing a marketplace of identity solutions. The NSTIC pilots family has done a great deal to seed the market, including:

  • Bringing together over 130 partner organizations in support of advancing the NSTIC across 10 major industry sectors;
  • Impacting approximately 2.3 million individuals;
  • Enabling 10 MFA solutions such as SMS text and multi-modal biometrics; and
  • Establishing or enhancing five commercial trust frameworks to facilitate interoperability of NSTIC-aligned credentials across sectors.

With a new round of NIST grant awardees, we have yet another opportunity to bring NSTIC-aligned solutions to the masses. This year’s additions are developing and deploying awesome, innovative solutions to address the toughest identity conundrums associated with everyday transactions; the pilots are aimed specifically at reducing tax refund theft, improving the security of medical information, and providing secure online storage for internet-of-things enabled devices.

This year’s selections show how we’re transitioning our pilots program to focus on filling more specific, critical gaps in the marketplace. In one of the federal funding opportunities (FFOs) we released earlier this year, we solicited projects with a focus on privacy-enhancing technologies since we’ve found privacy to be one of the most challenging NSTIC Guiding Principles for organizations to address. This more specific FFO followed a general solicitation for NSTIC-aligned solutions, which mirrored NSTIC FFOs of years past.

From submissions to these two FFOs, we at the NSTIC National Program Office selected three new pilot projects to push the boundary of identity management as it currently stands.

Without further ado, the grantees announced today are:

MorphoTrust USA (Billerica, Mass.: $1,005,168) MorphoTrust’s second NSTIC pilot grant will focus on preventing the theft of personal state tax refunds. Through MorphoTrust’s partnerships with multiple states, the project will show how to efficiently leverage trust created during the online driver licensing process (which includes enrollment, verification through biometric identification, authentication and validation, and issuance) in a scalable way to create trustworthy electronic IDs that individuals control.

HealthIDx (Alexandria, Va.: $813,922) HealthIDx proposes to deliver an innovative, privacy-enhancing technology that protects patients’ identity and information. This project will pilot a ‘triple blind’ technology in which medical service providers have no knowledge of which credential service provider an end-user chooses, credential service providers have no knowledge of which medical service provider the end-user is visiting, and the identity broker has no knowledge (nor retains any information) about the transaction’s parties or contents.

Galois, Inc. (Portland, Ore.: $ 1,856,778) Galois will build a tool to allow users to store and share personal information online. The user-centric personal data storage system relies on biometric-based authentication and will be built securely from the ground up. As part of the pilot, Galois will work with partners to develop just-in-time transit ticketing on smart phones and to integrate the secure system into an internet of things-enabled smart home.

NSTIC pilots aren’t just about executing on the descriptions above. These last few years, they have been vital in offering a commercial perspective on the Identity Ecosystem Framework to the Identity Ecosystem Steering Group, piloting the newly drafted Privacy Risk Management Framework for the privacy engineering team at NIST, and providing feedback for NIST publications, such as NISTIR 8054. We look forward to seeing these three 2015 pilots follow suit and advance the NSTIC. And with these three pilots addressing identity challenges in everyday transactions, we can’t wait to see entirely new groups of individuals benefit from the security, privacy, and convenience of NSTIC-aligned solutions.

We at the NSTIC NPO will be sure to keep you updated as these pilot projects unfold, so be sure to check our blog and twitter regularly for updates.

MorphoTrust, HealthIDx, and Galois: welcome to the family!

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

NIST civic hacking day challenge sparks the creation of an innovative new API

Multi-factor authentication (MFA) is near and dear to our hearts at NSTIC. We understand how important it is to the security and privacy of online transactions and we get excited about any opportunity to increase the awareness of—and encourage the adoption of—MFA. This is why we jumped at the opportunity to submit a challenge about MFA for the National Day of Civic Hacking earlier this summer.

NIST hosted a ‘Two Factor Frenzy’ challenge that called for a tool designed to show users which sites currently offer MFA that could be personalized based on their online habits. Two colleagues at Code HS in San Francisco joined forces to work on a solution for us: Kurt Hepler and John Kelly. Kurt and John both recently became interested in cybersecurity; Kurt is an avid coder who tutors students and teachers, and John is a programmer who changed his major at Berkeley from cognitive science to computer science when he realized he had a passion for it. This was their first time as civic hacking participants—and their first time building an API. They chose to work on our challenge because of the cybersecurity focus and the creativity we encouraged.

Kurt and John decided to build and launch a publicly available API that makes the data from (which compiles information about which websites support MFA) easier to access through a browser extension. The API can show internet users if the website they are visiting offers MFA—in hopes of adding simplicity and convenience for the user. They also expanded the API’s dataset to include even more information about the security of the websites being visited (e.g., if the website has phone call support, email support, and hardware token support).

The browser extension for Chrome and Firefox can be downloaded from the Chrome Web Store and at Add-ons for Firefox now. You can also look up if a website offers MFA on their website, Check This Site. Kurt and John are currently working on a way for others to be able to add information to their database as more sites adopt MFA—and say they already have a plan for how to make this work. Ultimately, they would like to allow the community to contribute so the tool is as useful, robust, and effective as possible.

Kurt has reasons for his passion on MFA. He says, “As we continue to spend more and more of our time online, the need for safer online practices becomes increasingly important. This is especially true when you think about how much personal information we share online. Whether we’re checking email or filing taxes, there’s a lot of info about us that we want to keep secure. To this end, MFA can have a huge impact on keeping us and our data safe. We hope that our project will be helpful in educating about and promoting these resources and practices.”

We at NSTIC appreciate that Kurt and John took the time to collaborate and come up with a solution to our challenge. This was the first time NIST participated in the National Day of Civic hacking, and we are really happy with how the event turned out. Tools like those developed in the hacking day challenge help advance the Identity Ecosystem and, in the case of our challenge, encourage service providers to offer MFA—which will make the online world more secure in the future… and will keep us happy in the meantime.

More information about the API is on ChallengePost (which includes additional links and screenshots).

…And remember to follow us on Twitter!

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

Goals of NSTIC past, present, and future: NCSA guest blog interview

Our friends at the National Cyber Security Alliance recently caught up with Mike Garcia, acting director of the NSTIC NPO, to jumpstart their new executive Q&A blog series! This interview will give you a glimpse into what the NSTIC NPO has accomplished in the last four years and what we’ve got planned in terms of catalyzing the marketplace in the future. Mike also talks about what the NPO is most proud of and how we’re changing things up a bit.

Spoiler alert: we’re honing in on impacts and outcomes while driving commercial adoption, federal adoption, and advancement in science, technology, and measurement science. Plus, we’ve launched a bunch of new developments, like NIST joining the FIDO Alliance, advancing our pilots program, and releasing the draft NIST IR 8062: Privacy Risk Management for Federal Information Systems, just to name a few. Check out the new NCSA blog post and follow us on Twitter for more updates in the future.

Plus: we’ll be participants in the NCSA Twitter chat about strong online authentication tomorrow – Thursday, July 16th at 3 p.m. ET. Follow the conversation using #ChatSTC.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

Fourth and goal: closing in on the Identity Ecosystem Framework

It’s certainly too early to spike the ball, but yesterday the Identity Ecosystem Steering Group (IDESG) met another milestone by approving the initial set of baseline requirements for the Identity Ecosystem Framework (IDEF). These requirements are a critical element to building the IDEF—which the IDESG has been chartered to establish and govern. As identified in the NSTIC, successful establishment of the IDEF is a must-have in the ongoing successful development of online commerce, government efficiency, and effective and efficient communication among and between individuals, the private sector, and the public sector. The baseline requirements were developed by IDESG work committees to address minimum requirements for Identity Ecosystem participants in four key areas: privacy, security and resiliency, interoperability, and user experience. These areas align directly with the committee structure of the IDESG and with the Guiding Principles of the NSTIC.

The requirements will serve as the basis for the IDESG’s Self-Assessment Program—which is targeted to be operational later this year. Under this scheme, identity service providers and relying parties will be able to self-assess their own policies, procedures, and operations to the baseline requirements and attest to conformance to them. The IDESG will offer a public listing service for those organizations that self-assess and determine conformance to the baseline requirements. The functional model, requirements, Trustmark program scope, and scoping statement will comprise the initial version of the IDEF as envisioned in the strategic plan.

The IDESG Privacy, Security, Standards, and User Experience Committees, along with the IDESG Framework Management Office, have been working hard to develop the baseline requirements since last year. The Self-Assessment Program is intended to enable those service providers to apply the requirements to their own operations to determine where they meet the requirements—and to identify areas that may need some focused attention in order to conform to the baseline in the future.

It’s important to note that the baseline requirements are currently in the form of a set of requirement statements; the IDESG working committees are currently developing supplemental information for each of the requirement statements to further clarify and explain the requirements (and how they can be met at this stage). The supplemental information is intended to help explain the requirements to all audiences, but, in particular, is intended to help guide those organizations that intend to perform self-assessments against the requirements later this year. This supplemental information will be part of IDEF v1 release later this year.

The next IDESG plenary will take place at the Tampa, Florida, on September 24 and 25—co-located with the Global Identity Summit. The IDESG looks to complete the remaining aspects of IDEF v1—supplemental guidance, scoping statement, and self-attestation and listing service—in time for approval at this upcoming plenary. Kudos to the IDESG for accomplishing this major milestone, and we are looking forward to advancing further downfield this summer and getting IDEF v1 into the end zone.

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | Leave a comment

NIST joins the FIDO Alliance

Recently NIST joined the FIDO Alliance under its newly-created government membership class. The FIDO Alliance was formed in July of 2012 and aims to bring easy-to-use, privacy-enhancing authentication devices to the consumer mass market. FIDO-based credentials are designed to provide an anonymous key without any publicly available serial number or central authority. The FIDO 1.0 specifications allow for strong, multifactor credentials, a major point of focus in the National Strategy for Trusted Identities in Cyberspace.

NIST, which is home to the National Program Office for implementing the NSTIC, is committed to bringing stronger authentication to individuals – which makes this new partnership a logical and exciting next step toward achieving its mission. “We are thrilled that FIDO is welcoming government participation in this industry-led initiative, and we look forward to supporting the development of future specifications. We see this as a great opportunity to advance work on both sides and to bring NIST’s capabilities to the FIDO table,” said Mike Garcia, acting director of the NSTIC NPO.

Being a member of the FIDO Alliance will help government strengthen its role as an early adopter of new identity solutions. “I can see a day in the near future when some consumers will start to insist on leveraging a FIDO-based authenticator to access government services through Connect.Gov,” added Paul Grassi, NSTIC standards and technology lead. This partnership will also support the work of the Identity Ecosystem Steering Group (IDESG) as the goals of each organization are extremely complementary. The IDESG is a private sector-led organization developing a framework of requirements and policies—leveraging existing industry standards—for interoperability across the Identity Ecosystem.

Executive director of the FIDO Alliance Brett McDowell said, “Cross-sector collaboration is vital to wide adoption of FIDO specifications, and we consider NIST an ideal government member. There is little doubt that the NSTIC, and the work of the NSTIC NPO, have had a direct and positive influence on several of the contributors in the FIDO Alliance, and I’m optimistic about the great things we can accomplish working together directly to promote stronger authentication.”

Follow the NSTIC NPO on Twitter for the latest updates.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , | 1 Comment