Four industry leaders breakdown the importance of online credentials
20 December, 2011
There have been many discussions about digital identities and online credentials in 2011. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is picking up steam and organizations are seeking to further secure IT networks as threats from hacking increase.
But questions and uncertainty abound. What are digital identities and how do they work? Will one credential work with another? How will they impact privacy and help address regulatory compliance?
In light of these and other pressing questions, Re:ID editors asked some of the leaders in the space to share their thoughts and vision for online ID.
Participating in the roundtable are: Jeremy Grant, senior executive adviser and manager of the National Program Office for NSTIC; Mollie Shields-Uehling, president and CEO at SAFE-BioPharma; Judith Spencer, former co-chair of the Federal Identity, Credential, and Access Management Subcommittee at the U.S. General Services Administration and now CertiPath’s policy management authority chair; and Scott Rea, board member and director of operating authority at the Research and Education Bridge Certification Authority (REBCA).
What do these digital IDs look like to you?
Mollie Shields-Uehling, SAFE-BioPharma
SAFE-BioPharma digital IDs are a form of software installed on a computer, tablet, smart phone or other device. They are based, in part, on a close link with the user’s proven identity. They also enable the application of digital signatures to electronic documents.
Generally, digital signatures compliant with the SAFE-BioPharma standard will be represented in the form of a graphic containing the individual’s name, the reason for applying the signature, date/time of signing, the SAFE-BioPharma logo and other identifying information.
Scott Rea, REBCA
I see these digital IDs as an analogy to the credit card in the financial industry. When banks first started issuing these, you could only use your card at merchants that specifically had an arrangement with your local bank, and these were limited in scope.
But then along came the payments industry standards and the creation of standards such as Visa, MasterCard and American Express. Now, if your bank or issuing entity participates in one of these credit card standards, they can issue a credential in accordance with that standard that is accepted in a much broader community of merchants.
This is typically acknowledged by a logo or brand being placed upon your card, which is still issued by your local bank, and also displayed by the merchant or relying party willing to accept it.
In relating this to interoperable digital identities, the trust hubs are the payment standards, the Certification Authorities are the branding mechanism, and local education and research institutions can now issue credentials that can be relied upon internally and by the broader research community.
Jeremy Grant, NSTIC
Within the identity ecosystem, we do not advocate a particular form factor, so we don’t have a prescribed look and feel that makes one ID better than another. We do expect innovation to drive the identity market to the general public in a privacy-enhancing manner that is easy to use.
This could be in the form of a smart phone or credit card. The employment of interoperable credentials will support the individual’s ability to create and utilize their digital identity with increased control and personal privacy.
As far as the physical or architectural composition of digital IDs and their associated credentials, innovation and user requirements will dictate the form in which these are delivered. Our interest from the government side is to develop a framework for the identity ecosystem where multiple form factors can coexist and ultimately the market can decide which solutions are best.
Judith Spencer, CertiPath
Interoperable digital identities need to have strong security tokens and processes associated with them. It is a well-known fact that the more often an electronic identity credential is used the more likely it becomes that it can be subverted.
User ID/Password combinations are particularly vulnerable and for that reason they make lousy interoperable identity credentials. Cryptographically-based identity credentials, on the other hand, are particularly resistant to attack, and those associated with some type of hardware storage device and/or biometric activation processes are even more resistant.