White House finalises online identity strategy

Following nearly a year of consultation with public and private sector stakeholders, the Obama administration on Friday released the final version of its National Strategy for Trusted Identities in Cyberspace.

The goal was to create a so-called identity ecosystem where online transactions were more trustworthy.

The strategy, unveiled in draft form in June, lays out a roadmap for the public and private sectors to build an "ecosystem," whereby the identities of individuals, organisations, networks, services and devices involved in online transactions can be trusted, according to the final document.

But while parts of this exist today, achieving the entire plan is years away, according to experts.

Members of the private sector, aided by the government, will be responsible for developing and implementing technologies, standards and policies to implement the proposal.

“The old password and username combination we often use to verify people is no longer good enough,” said Commerce Secretary Gary Locke, during Friday's unveiling of the strategy at the US Chamber of Commerce. “It leaves too many consumers, government agencies and businesses vulnerable to identity and data theft.”

As part of the strategy, individuals would be able to voluntarily obtain a secure credential – such as a piece of software on their smartphone, or a smart card or a token that generates a one-time password – from their choice of public and private sector identity providers. This credential would be used for online authentication when banking, accessing electronic health records, sending email and making online purchases.

Since users would be able to choose from a variety of credential providers, there would be no single, centralised database of user information, the White House said.

The strategy has received support from companies such as PayPal, Microsoft and Adobe; advocacy and academic organisations such as the Centre for Democracy and Technology, and the American Bar Association; as well as members of Congress.

One such advocate, Steven Sprague, CEO of authentication and encryption solutions provider Wave Systems, said that to facilitate such an environment, banks, health care, email and cloud service providers will need to offer consumers the option of using strong authentication credentials.

If realised, an identity ecosystem would provide tremendous benefits and convenience to users, he said.

For example, individuals could have an electronic identity that could be used when conducting online transactions, he added. They also could have more than one identity – one for personal use, another for business.

“I [would] have no more passwords to remember,” Sprague said. “When I go to open an account, instead of making a new username and password, I can bring an existing credential I already know, and say, 'Use this account.'”

Moreover, identity service providers would help users manage their identities over time, making it easier for individuals to keep track of where they have opened and closed accounts, he said.

But others said it may do more harm than good. According to a paper, by data leakage prevention software maker Identity Finder, "powerful identity credentials" as are being proposed, could enable “hyper-identity theft”.

To mitigate this issue, Identity Finder executives recommend that complementary federal regulations be enacted, mandating that all ecosystem participants implement a set of baseline information security and privacy protocols. The regulation should also include provisions to educate individuals on how to properly safeguard their identity credentials.

The National Program Office, a Government body in charge of the secret Continuity of Government Commission, will hold meetings to progress its plans.

Representatives from industry, academia, civil society organisations, standards-setting bodies and government were encouraged to attend.

This article originally appeared at scmagazineus.com