It’s a little hard to believe, but today marks the 5th anniversary of the NSTIC, the strategy for achieving trusted digital identities in a private sector-led identity ecosystem. Let’s take a glimpse back in time to where we were five years ago:
It’s 2011. Most (79%) American adults use the Internet. The average user needs 10 different passwords for their daily online activity, according to a UK study, and 3 out of 4 Americans don’t use sufficiently strong passwords for their most sensitive accounts. It’s also a year of unprecedented data breaches. In fact, “2011 boasts the second-highest data loss since [Verizon] started keeping track in 2004,” with 855 incidents and 174 million compromised records. Some companies are getting more aggressive in pursuing better security; 2011 is the year Google released two-factor authentication (2FA). While companies are beginning to adopt more secure solutions, they’re still uncommon, even in services with the most sensitive data: in 2011, only 35% of non-Federal short-term care hospitals have the capability for 2FA.
2011 is also the year the U.S. government released an ambitious strategy to improve digital identity and online interactions and achieve the NSTIC vision that individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
Since then, the market has evolved and matured – and we are much closer to the Identity Ecosystem. Here at NIST, we’re focused on advancing standards, technology, and measurement science to drive commercial and government adoption of trusted digital identity solutions—and to do so, we’re executing on four primary tactics: partnerships, publications, market intelligence, and communications.
I’ll be perfectly clear: we have a lot of work left to do. But as we continue our drive to ubiquitous use of quality digital identity solutions, we oughtn’t overlook the extraordinary progress this community has made. As the market has changed so has the work of NIST and its partners. Here’s a look at just how far we’ve come…
Development of standards is increasing the interoperability of identity solutions. The last five years have brought great progress harnessing collective experience in the community to develop identity-focused security and privacy standards, protocols, and profiles that can be utilized across sectors.
- Several initiatives are leveraging OAuth 2.0, a protocol that enables the user to grant access to private resources from a service provider’s site to a relying party, including the Kantara Initiative with user-managed access (UMA) and the OpenID Foundation with OpenID Connect.
- The Identity Ecosystem Steering Group (IDESG) published the Identity Ecosystem Framework (IDEF), which includes requirements for organizations to align with the NSTIC Guiding Principles, along with supplemental guidance and a functional model.
On January 12-13, 2016, the Applying Measurement Science in the Identity Ecosystem workshop, hosted by NIST, brought together 224 public and private sector stakeholders to discuss the feasibility of and approaches to measure and compare attribute metadata and confidence scoring, strength of authentication, and strength of identity proofing.
Government adoption is increasing. Since 2011, the government has shown dedication to enhanced security and privacy through marked progress in government-wide practices.
- The Department of Commerce increased strong authentication from 30% in FY13 to 88% in FY14, while the Environmental Protection Agency jumped from 0% to 69% in the same timeframe.
- The General Services Administration has five agencies in a limited production pilot with Connect.Gov–an operational implementation of a privacy-enhancing technology.
In 2013, with funding from the Office of Management and Budget’s Partnership Fund for Program Integrity, NIST awarded two state-focused pilots, which have enabled over 800,000 Michigan citizens to prove their identity online to digitally access state benefits and services, and Pennsylvania citizens to electronically submit claims to the Pennsylvania Human Resources Commission.
Commercial adoption of trusted identity solutions is increasing. The NSTIC calls for the private sector to “lead the development and implementation of this Identity Ecosystem,” and organizations have stepped up, improving how they do identity.
- In the last five years, many companies have enabled versions of MFA (sometimes 2FA or 2-step verification) for users: Google and Facebook did so in 2011; Apple, Twitter, and LinkedIn first offered the feature in 2013; Slack, Snapchat, and Amazon followed suit in 2015; and Instagram began rolling out 2FA in early 2016.
- Since 2012, we’ve funded 18 pilots to facilitate the adoption of innovative, NSTIC-aligned identity solutions. The pilots have impacted over 3.8 million individuals, with advances occurring across 11 sectors.
Under Armour’s military and first responder market segment saw 30% revenue growth in its first year relying on NSTIC pilot ID.me for identity attribute verification and credentialing.
Individual adoption is increasing as well. The success of the Identity Ecosystem, according to the NSTIC, “depends, in large part, on encouraging individuals and organizations to adopt it,” because “the greater the number of participants in the Identity Ecosystem, the greater the value that each will obtain from participation.”
- In 2013, only 25% of Americans had used 2FA in the past. This number rose to 39% in 2015 as individuals have gained awareness of, and access to, 2FA.
- Daon built upon lessons learned from its NSTIC pilot to inform the launch of more convenient and effective mobile account access for USAA members using Daon’s facial and voice recognition technology. Over 100,000 USAA members had signed up for biometric login a few weeks after its launch.
The Cybersecurity National Action Plan calls for an awareness campaign that focuses on broad adoption of MFA. The National Cyber Security Alliance will build off the Stop.Think.Connect. campaign and efforts stemming from the NSTIC, partnering with technology companies and civil society to promote this effort and make it easier for millions of users to secure their accounts online.
So what does all of this mean for the development of the Identity Ecosystem? I expect adoption of these solutions to follow the same S-shaped diffusion as most technologies—and we are, in my estimation, past the critical first inflection point. We have solutions, some early adopters, and promising indications for the future. It’s time to continue innovating and to scale.
We— the broad digital identity community—have made great strides over the last five years, and we’re expecting many more achievements as we finish the job. So much so, in fact, that NIST thinks each of these deserve an in-depth look, and we’re doing so through two new documents.
In May, we’ll release a two-part series of NISTIRs exploring the strategic landscape of digital identities. The first document will take a deep dive on market progress in the last five years, while the second will be an implementation roadmap for the second half of our 10-year goal of achieving the sustained, continually-evolving Identity Ecosystem.
We look forward to continued development and adoption of trusted digital identity solutions and growing our partnership on the second half of this journey. Happy adopting – and a happy NSTICiversary to all!