Part of the future of identity series
By Jeremy Grant, senior executive advisor, identity management, NIST
Grant joined NIST in February of 2011 to lead the establishment of a National Program Office to implement the National Strategy for Trusted Identities in Cyberspace. His career began as a legislative aide in the U.S. Senate, where he drafted the legislation that laid the groundwork for the Department of Defense and GSA smart card and PKI efforts. He later joined MAXIMUS, where he played a role in a number of federal identity and security programs.
In the year 2019, consumers will think it’s quaint when online service providers ask them to create a new account – or more likely, many will simply abandon the site, deciding that it’s not worth the hassle.
The marketplace availability of secure, privacy-enhancing digital credentials that can be used across the Internet in lieu of passwords will prompt most consumers to trust one – or a handful – of credential service providers instead of managing 25-30 passwords.
The value to consumers will not only be convenience, but also the knowledge that the security and privacy of their transactions is enhanced. Moreover, online service providers will be eager to reduce friction for consumers accessing their services, as well as inspire trust by assuring that as a service provider, they too value security and privacy.
A comprehensive Identity Ecosystem Framework – essentially a set of standards, policies, and operating rules that ensure interoperability of credentials across sites, as well as a consistent experience for consumers and service providers alike – will enable this new paradigm for online identity. Crafted by the privately-led Identity Ecosystem Steering Group (IDESG), this framework will also be backed by a Trustmark program that allows credential issuers to demonstrate their compliance with the Framework. This will enable the easy creation of new Trust Frameworks that span numerous sectors, making it easier for organizations to trust credentials issued by others.
We will move from systems that challenge the user to prove they are who they claim to be, to ones that “recognize” us
The authentication ceremony itself will look very different than it does with today’s authentication tools that require significant work on the part of the end-user. We will see new easy-to-use technologies that do the work for us. In simpler terms: we will move from systems that challenge the user to prove they are who they claim to be, to ones that “recognize” us. This shift to recognition will be enabled by the ever-increasing array of capabilities and sensors built into the devices we use to go online.
That may sound scary, but it will only be problematic if we don’t make an effort as technology progresses to make sure we get privacy right. With these new capabilities, it will be more important than ever to ensure that there are standards in place – both technical and policy – to ensure that this future state of identity is one that enhances privacy. This will be accomplished by embedding a default set of privacy protections in the Identity Ecosystem Framework, as well as by taking advantage of new privacy-enhancing technologies that are starting to appear. Major cloud service providers will embrace these privacy enhancements as a way to address potential liabilities and inspire trust among a broader swath of customers.
This future state of identity will have been developed and led by the private sector, though it will have been heavily inspired by the National Strategy for Trusted Identities in Cyberspace, issued by President Obama in 2011. While published by the government, the NSTIC set forth a vision that appealed to a wide range of companies, advocates, academics and individuals, bringing them together to collaborate on a way to fundamentally remake online identity.
At a time of tremendous change in identity technology, the strategy served as a guidepost for the private sector, reminding everyone that privacy, security, ease-of-use and interoperability are each essential for an Identity Ecosystem to flourish.
As for the National Program Office, by 2019 it will be a blessed memory, having been absorbed back into NIST. With a vibrant, NSTIC-aligned Identity Ecosystem becoming pervasive, the need for a dedicated government office to assist the private sector will wane.
Technologies and markets evolve, and government must as well. There will no doubt be new challenges in 2019 that are deserving of our time, energy and resources.