NSTIC director: 'We're trying to get rid of passwords'

The federal government's National Strategy for Trusted Identities in Cyberspace (NSTIC) program, set up this spring, is making progress against its goal of identifying and supporting more secure alternatives to simple passwords that the government as well as anyone else might use in authenticating to online applications.

"We're trying to get rid of passwords. It's time for something better," says Jeremy Grant, senior executive adviser at the National Program Office for NSTIC, located at the National Institute of Standards and Technology. The federal government, he says, can lead in working with industry on better types of authentication for large-scale use that may be deemed preferable to passwords. The next step in this project involves setting up a steering committee with industry to foster consensus on standards and guidelines, with a slew of pilot projects expected next year, based on current budget expectations.

IN DEPTH: Can the Obama administration fix your identity-management problems?

Though the budget process is not complete, the Obama administration has $25 million allotted for the NSTIC program, and out of that, "$17.5 million is for pilots," says Grant, adding, "We haven't published yet what the criteria will be." However, the idea at present is to conduct about half a dozen pilot projects for strong authentication, making the funds available perhaps through a grants process.

The ambitious NSTIC program envisions an "identity ecosystem" of the future where there will be established ways to clearly assess identity in issuing credentials through approved assessors. Grant says the government is looking to private industry to take the lead on that in general. And though there will likely need to be standards and specifications for any identity ecosystem, especially in order to foster interoperability, Grant says NIST won't be writing these standards but trying to play the role of "facilitating the creation of consensus-based standards."

Grant says "the government is uniquely qualified to tackle the problem" of ushering in ways citizens could use stronger authentication than passwords not only in their necessary interactions online with the government but also perhaps in business as well. But the private sector is being given the lead in technologies for this because under NSTIC, "we're trying to get the government out of the identity business." But he says the government does want to make sure whatever comes about is done with suitable privacy safeguards -- plus complex legal and policy issues may well have to be sorted out.

Grant acknowledges that in trying to find common ground on which the high-tech industry and privacy advocates such as the Center for Democracy and Technology can all somehow stand together isn't necessarily easy, noting it can feel like "one of the largest cat-herding challenges of all time." He adds "there will be no central database under NSTIC," though if the government adopts NSTIC-approved services in the future for its own use, there would probably be a need to keep an audit trail for purposes of security.

"We can be an early adopter," he says, noting this would help the government bring online applications to the public that it can't do today because a password is simply not strong enough authentication.

"Passwords not only don't help provide much security, in many cases they can put the consumer at risk," says Don Thibeau, chairman of the Open Identity Exchange (OIX), whose membership -- which includes Google -- interacts with the federal NSTIC program. (OIX was set up as a sister organization to the OpenID Foundation, for which Thibeau serves as executive director.)

There's a need for "Internet identity standards on an Internet scale," says Thibeau. OIX is presenting its ideas related to OpenID and OAuth specifications, and its membership is interested in participating in pilot projects under NSTIC. But Thibeau also expects to see the private sector doing a few of its own pilot projects later this year with OIX sponsoring some interoperability and security pilots between Google, AOL and Hotmail email systems. The goal is to try to "define best practices for security on a cross-platform basis." He adds: NSTIC is "challenging security architects to come up with new thinking."

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags National Institute of Standards and Technologysecurity

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?