White House debuts Identity Ecosystem

The Obama Administration has unveiled a national strategy to safeguard internet users against fraud and identity theft and enhance individuals’ privacy by creating trusted entities that develop unique credentials for each user.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) aims to make online transactions more trustworthy by creating an “Identity Ecosystem” in which interoperable, secure and reliable credentials will be made available to users. Consumers who want to participate will be able to obtain a single credential, such as unique software on a smartphone, a smart card or a token that generates a one-time digital password. Instead of having to remember myriad passwords, credentialed users can log into any website with more security than passwords alone provide, according to an April 15 White House statement.

As envisioned in the 45-page National Strategy document, the federal government will facilitate a private sector-led effort to develop Identity Ecosystem technologies, standards and policies, and to enable a self-sustaining market of credential providers. There will be no single, centralized database of information, and users will be able to choose among different providers of credentials and easily change credential types and providers.

The NSTIC seeks to drive the development of privacy-enhancing policies as well as innovative privacy-enhancing technologies to ensure that the ecosystem provides strong privacy protections for consumers, according to the statement.

When implemented, the platform will enable users to:

• Choose one or more identity providers, whether public or private.
• Choose credential types that meet their needs, including smart cards, cellphones, keychain fobs, one-time password generators and future credentialing technology that hasn't been invented, according to the statement.

Consumers can use their credential to prove their identities when they’re carrying out sensitive transactions, such as viewing personal healthcare information. Once the Identity Ecosystem is in place, consumers would be able to connect to businesses and other online entities using a credential they already have, avoiding the hassle of creating usernames and passwords, according to the strategy.

The NSTIC’s Identity Ecosystem will be grounded in the eight Fair Information Practice Principles (FIPPs) to provide multi-faceted privacy protections, according to the strategy.

A FIPPS-based approach also will promote adoption of privacy-enhancing technical standards by minimizing the ability to link credential use among service providers, preventing them from developing a complete picture of an individual’s activities online.

The Secretary of Commerce will establish within the Department of Commerce an interagency office, the National Program Office (NPO), charged with achieving the goals of the strategy. The NPO will be responsible for coordinating the processes and activities of organizations that will implement the strategy. Commerce will host the interagency function because it is uniquely suited to work with the private sector and with government to implement the strategy, according to the national strategy. The NPO will lead the day-to-day coordination of NSTIC activities, working closely with the Cybersecurity Coordinator in the White House.

“The standardization of policy and technology and the initial implementation of the Identity Ecosystem will not occur overnight,” according to the strategy document. The Identity Ecosystem could begin operations within three to five years, according to the national strategy.

Click here to access the document.