Following nearly a year of consultation with public and private sector stakeholders, the Obama administration on Friday released the final version of its National Strategy for Trusted Identities in Cyberspace (NSTIC).
The strategy, first unveiled in draft form in June, lays out a roadmap for the public and private sectors to build an “ecosystem,” whereby the identities of individuals, organizations, networks, services and devices involved in online transactions can be trusted, according to the final document.
But while parts of this exist today, achieving the entire plan is years away, according to experts.
Members of the private sector, aided by the government, will be responsible for developing and implementing technologies, standards and policies to implement the proposal.
“The old password and username combination we often use to verify people is no longer good enough,” said Commerce Secretary Gary Locke, during Friday’s unveiling of the strategy at the U.S. Chamber of Commerce. “It leaves too many consumers, government agencies and businesses vulnerable to identity and data theft.”
As part of the strategy, individuals would be able to voluntarily obtain a secure credential – such as a piece of software on their smartphone, or a smart card or a token that generates a one-time password – from their choice of public and private sector identity providers. This credential would be used for online authentication when banking, accessing electronic health records, sending email and making online purchases.
Since users would be able to choose from a variety of credential providers, there would be no single, centralized database of user information, the White House said in a news release Friday.
The strategy has received widespread support from private sector companies, such as PayPal, Microsoft and Adobe; advocacy and academic organizations, such as the Center for Democracy and Technology, and the American Bar Association; as well as members of Congress.
One such advocate, Steven Sprague, CEO of authentication and encryption solutions provider Wave Systems, told SCMagazineUS.com on Friday that to facilitate such an environment, banks, health care, email and cloud service providers will need to offer consumers the option of using strong authentication credentials.
If realized, an identity ecosystem would provide tremendous benefits and convenience to users, he said.
For example, individuals could have an electronic identity that could be used when conducting online transactions, he added. They also could have more than one identity – one for personal use, another for business.
“I [would] have no more passwords to remember,” Sprague said. “When I go to open an account, instead of making a new username and password, I can bring an existing credential I already know, and say, ‘Use this account.’”
Moreover, identity service providers would help users manage their identities over time, making it easier for individuals to keep track of where they have opened and closed accounts, he said.
Others, however, said the strategy may do more harm than good. According to a paper, released Friday by data leakage prevention software maker Identity Finder, “powerful identity credentials,” as are being proposed, could enable “hyper-identity theft.”
To mitigate this issue, Identity Finder executives recommend that complementary federal regulations be enacted, mandating that all ecosystem participants implement a set of baseline information security and privacy protocols. The regulation should also include provisions to educate individuals on how to properly safeguard their identity credentials.
The National Institute of Standards and Technology plans to hold a series of workshops to help the private sector, consumer advocates and other groups advance the NSTIC strategy.
[An earlier version of this story wrongly reported which entity would be in charge of the workshops.]