Myriad of solutions vie to fill Internet's mega gap
One-time passcodes, biometrics, smart cards, mobile devices … the list of possible digital authentication technologies is long.
Still, usernames and passwords are the pervasive means to access information and conduct transactions on the Web. Consumers, however, are frustrated with the ever-growing list of complicated passwords, images and security questions guarding both high-security transactions like banking or bill pay as well as basic web site access.
Efforts are underway to remedy the problem. The U.S. federal government’s National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative funded a round of five pilots in 2012 and will fund a second round this year.
The additional pilots will further explore the creation of an identity ecosystem with strong digital identities and trusted credentials for citizens. In the meantime, existing solutions are already vying to fill the gap in online identity.
Improving existing solutions
This identity ecosystem would help bolster the current forms of digital identity, such as “the trusted username and password, which is totally un-trusted,” says Randy Vanderhoof, executive director of the Smart Card Alliance. Additionally, there’s two-factor authentication with a card or token used in conjunction with a PIN or password, and three-factor authentication, which adds biometrics to the equation, explains Vanderhoof.
As individuals are forced to juggle lists of usernames and passwords along with multiple tokens, these tools for online identification have become overwhelming. “What used to be viewed as a solution to the problem has become another part of the problem,” says Vanderhoof.
To help solve that, government agencies and business organizations are exploring the concept of reusing an identity credential from another provider. “We can’t end up with one identity and a necklace of different tokens. The (NSTIC) Identity Ecosystem Steering Group is working to make sure that doesn’t happen,” says Ian Glazer, research vice president and agenda manager at Gartner.
From walled gardens to trust anchors
A basic need for digital identity exists within closed systems such as iTunes or Amazon accounts. These are often called “walled gardens,” because they recognize a user and hold user information, but only for use on that specific site, explains Don Thibeau, executive director of the Open ID Foundation and chair of Open Identity Exchange (OIX).
“The great lesson of iTunes is that Don Thibeau–as an iTunes user–can buy another song or a piece of software on the spur of the moment, and I can do so without creating a username and password. I can do so without reaching for my credit card. I can do so without authenticating myself to any number of sites,” says Thibeau.
Another form of a digital online identity is a multi-purposed account. For example extending the Facebook or Google login to other services, such as the music site Spotify, removes the need to create, manage and remember another login combination. In this type of architecture, Facebook or Google serves as a trust anchor for other accepting service providers.
“The advantage is that I don’t have to create another username and password and Spotify doesn’t have to protect a password that I give them,” says Glazer. “But the downside is that I put one more egg in my Facebook basket and I’m using that account to unlock more and more resources.”
Identity in the cloud
PKI in the cloud is another technology that can be leveraged for use as a digital identity for higher levels of security. “PKI has a strong capability to say whether or not you actually performed the transaction,” says Gordon Hannah, principal at Deloitte & Touche LLP.
Thus digital signatures may come to the forefront as a viable digital identity. “All the legal things we do require wet signatures today, but a trusted digital signature could really accelerate capabilities,” Hannah says. “Refinancing or getting loans require a lot of wet signature type documents being shipped around … the ability to put that all online is very interesting.”
In the creation of these systems, the digital identity technology is only part of the solution. Developers also have to consider the identity proofing that works in conjunction with the identity technology. “A lot of folks forget about that piece, which is just as important, if not more important than the technology,” says Hannah.
Identity proofing maps back to NIST Special Publication 800-63, which defines the four levels of authentication used by the federal government. While the national strategy addresses all levels of authentication, it has a larger focus on levels two and three.
Level two and level three authentication enable remote identity proofing while the highest level requires in-person vetting, Hannah explains. These levels also enable software-based authentication technologies, such as one-time password or even biometrics on mobile devices, while level four requires hardware-based solutions.
The move to EMV compliance in the United States may also help digital identity to take hold, as consumers will have cards with smart chips that can hold identity information. “It’s intended for financial applications, but it’s very conceivable that we could download an identity application to it that could also be used to authenticate our identity at a very strong level,” Hannah says. “It’s essentially a hardware token that could even be mapped to level 4, the highest authentication level (specified in NIST 800-63).”
With payments moving to mobile devices there’s the possibility of identity also moving that same direction. “We might be able to use our phones to validate our identity in a very strong and trusted means,” says Hannah.
Mobile technology may also propel the development of digital identities. “Mobile phones are connected to the Internet, so identity credentials securely stored on the phone could enable access to services that one would normally access from a PC,” says Vanderhoof.
Add NFC technology to the mix and identity information can be transferred from a phone to a physical reader. “Mobile could break through the challenges of carrying and storing multiple identities. It could solve some of the challenges with physically issuing a card, token or some other type of carrier of your digital information,” adds Vanderhoof.
While work is just beginning on the NSTIC pilots, the technology may reach the market in the next two years. “I believe by 2014 or 2015, we’ll really begin to see these NSTIC-related initiatives and technologies take off,” says Hannah.
He acknowledges that hardware development could take a while, but the advancing nature of payment cards and other pilot technologies may accelerate the process. “It’s a bit of a chicken and egg situation. You’ve got to have the market demand for the capabilities, but you’ve also have to have the technologies implemented that can support them.”