My heart bleeds for better identity solutions, my brain is excited by the progress

Last week marked three years since President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC). In the NSTIC, the President called for a new private-public sector partnership to create an Identity Ecosystem, where all consumers could choose from a variety of credentials that could be used in lieu of passwords to enable more secure, convenient and privacy-enhancing transactions everyplace they go online. 

Looking back over the last three years, one thing that stands out is how much easier it has become to make people understand the problems with passwords – the recent Heartbleed bug is only the latest in a seemingly endless series of incidents highlighting this issue – and the need to embrace multifactor authentication as a way to protect themselves against attacks. 

While it’s been great to see the marketplace respond with increased support for two factor authentication solutions – the reality is that consumers aren’t going to respond to an effort to replace the 25-30 passwords most of us manage today with 25-30 separate, stove piped two-factor solutions. We have to do better.

To truly improve security, we need to also improve convenience.  And that requires interoperability of strong credentials – at both a technical and a policy level – enabling consumers to use (should they so choose) the same strong credential at multiple sites.

To that end, it was great to see more than 170 people gather in person at Symantec’s headquarters in Mountain View, California earlier this month – joined by another 70 online – for the 8th plenary meeting of the Identity Ecosystem Steering Group (IDESG).  The IDESG was formed 20 months ago specifically to create a framework of standards, policies and business rules for the Identity Ecosystem that would enable this interoperability. 

What stood out about this most recent meeting was how much progress the IDESG is making – in both committees and in the full plenary – on advancing the Identity Ecosystem Framework (IEF): 

  • Incoming Plenary Chair Kim Little-Sutherland and Management Council Chair Peter Brown presented on plans to craft version 1 of the Identity Ecosystem Framework by the end of 2014.  This would create a baseline for entities to self-attest to compliance with the IEF and set the stage for development of a comprehensive compliance and conformance program in 2015.  Based on the draft presented, the IDESG committees will work this year to finalize the rules, policies, standards references, and other components needed to support the Identity Ecosystem envisioned in the NSTIC.
  • We saw the Security committee present version 1 of Identity Ecosystem functional elements that will help to guide other IDESG deliverables going forward.  Adam Madlin of host Symantec shared with the plenary guidelines on how IDESG committees can leverage these functional elements and a set of requirement derived from the NSTIC to develop IEF functional requirements specific to the committees’ domains, and components necessary for the framework.
  • We saw the first round of NSTIC pilots report on their progress in catalyzing a marketplace of trusted identity solutions: Criterion, AAMVA, Internet2 and Daon participated in a panel discussion exploring the challenges in balancing the four NSTIC guiding principles in pilot design and execution.  They also stressed the importance of articulating a clear value proposition for individuals in using trusted identities to conduct online transactions to ensure pilot success.
  • We heard from two new NSTIC pilots focused on state governments: Michigan and Pennsylvania detailed how their pilots will improve online delivery of state government services by leveraging trusted identity solutions.
  • And we saw a new NSTIC cross-pilot collaboration working group meet in person in Mountain View, focused on ways to capitalize on the lessons learned in the pilots and translate these into concrete recommendations to the IDESG.  Of note, Ryan Fox of the ID.me NSTIC pilot, in a presentation to the Standards Coordination Committee, described common challenges in identity proofing across multiple pilots, including the need in the market for metrics to better measure the performance of Knowledge-Based Authentication (KBA) solutions.  Such metrics could enable relying parties, such as financial services institutions, health care providers, and retailers to assess the comparative reliability of commercially available KBA solutions to conduct online identity verification, including user authentication.  The cross-pilot working group suggested that the IDESG contemplate proposing development of a new KBA performance standard in an appropriate Standards Development Organization – a potentially very useful standard to reference in the IEF.

The role of the pilots in supporting the IDESG – and of the IDESG in supporting the pilots – continues to expand with each plenary.  As both efforts advance, they are together helping to influence the marketplace, address barriers to marketplace adoption of better identity solutions, and create a framework to support a viable Identity Ecosystem.

Three years in there is still much work to be done – but there is also tremendous progress.  With the IDESG incorporating as a formal not-for-profit corporation, the formal launch of the Federal Cloud Credential Exchange (FCCX) later this spring and a third round of NSTIC pilots set to launch in September, 2014 looks to continue to be a very exciting year. 

We appreciate the efforts so many of you have made over the last three years – and look forward to working more with you over the months and years to come as we drive material improvements in the way we enable trusted identities in cyberspace. However much it pains us to see yet another failing of poor authentication systems, it only serves to validate our efforts to date and motivate us to work harder towards the NSTIC vision.

We look forward to seeing you all at the Ninth IDESG plenary, which we are pleased to host at NIST June 17-19.

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to My heart bleeds for better identity solutions, my brain is excited by the progress

  1. Steve Wilson says:

    The Heartbleed debacle has many lessons for information security, and it’s always good to see more attention being seeded in the media, but I’m afraid Heartbleed has nothing to do with authentication. Even with two factor logon, a site with the OpenSSL bug will still leak session secrets.
    For me, the stark thing about Heartbleed (coupled with the technically unrelated but eerily parallel “goto fail” bug in Apple’s SSL software) is it proves the shoddy state of software development. It turns out that mission critical security code is poorly structured, poorly tested, and poorly inspected — if it is inspected at all.
    There’s a wake-up call here — if security professionals are listening. Grand plans like NSTIC will be brought to their knees if we don’t take pause and pay a helluva lot more attention to the craft of programming.

  2. Jeremy Grant says:

    Thanks Steve — no argument on the need for better software development. Details clearly matter.

    My point on citing Heartbleed was not to argue that multi-factor authentication would have been immune to the problems of Heartbleed — although in some cases, depending on the specifics of the MFA solution it can help — but rather to highlight how Heartbleed is the latest incident to raise awareness about the inadequacies of our current password-centric ecosystem.

    When a major Internet site is advising consumers that their best response is to “call in sick and take some time to change your passwords everywhere,” it’s a good signal that we need something more user-friendly, secure and resilient.

Leave a Reply

Your email address will not be published. Required fields are marked *

*