Craig Spiezle, executive director and CEO, Online Trust Alliance
The National Strategy for Trusted Identities in Cyberspace (NSTIC) offers the promise of enhanced privacy and security, helping to address the risks of password “mismanagement,” including phishing and identity theft.
Consumers today often use the same password or a few passwords to login to multiple sites. Compounding this insecure methodology, social networking sites often encourage users to enter usernames, passwords and other credentials which can be unknowingly exposed to their contacts. As proposed, consumers will realize enhanced choice and control of what credentials should be shared, who manages them and who they are shared with. Consumers benefit with increased control of their identity (and privacy), while relying parties will have the confidence the site visitor is who they purport to be (security).
While we can debate fringe-use cases, this effort should be applauded for moving trusted identities forward. The process has been open and has included leading identity, privacy and security professionals.
John Pescatore vice president and research fellow, Gartner
With identity theft thriving, it is clear that some improvement in internet authentication is needed, and government definitely can and should play a role. But this plan repeats the major error of previous industry efforts by attempting to build an interoperable or federated identity “ecosystem” versus focusing on the root cause of the problems – moving away from reusable passwords.
An “interoperable identity ecosystem” is all about benefit to the consumers of identity, not to the individual identity owners. The goal of a government-driven effort should be to spur better choices for citizens in stronger authentication – the only way we can drive online ID theft levels to the same level as in the real world.
The government should focus on defining standards for stronger authentication and require all agencies to use them for government employee access and all citizen interaction. Get a critical mass of use of techniques beyond reusable passwords, and interoperability will follow.