Multi-factor & Risk-based Authentication
White House Unveils Online Authentication PlanFraud, ID Theft Prompts National Strategy for Trust Initiative
Cybersecurity Coordinator Howard Schmidt, on the White House blog, announced the issuance of the first draft of the National Strategy for Trusted Identities in Cyberspace that details the goals to create an identity ecosystem where online tractions can take place in an infrastructure where participants trust the identities of others while maintaining individual privacy.
A rising tide of identity theft, online fraud and cyber intrusions, the proliferation of usernames and passwords that individuals must remember and the need to deliver online services more securely and efficiently prompted the White House action.
"No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services," Schmidt wrote. "Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers - both public and private - to authenticate themselves online for different types of transactions."
Schmidt said the identity ecosystem would allow users to have more control of the private information they use to authenticate themselves online, and will not have to reveal more information than they need to.
According to the White House, the goals of the initiative are to:
- Design the identity ecosystem: Work with industry to develop and identify the standards and policies that govern the identity ecosystem. It also includes addressing legal issues in the identity ecosystem such as defining liability caps for identity providers.
Build the identity ecosystem infrastructure: Collaborate with industry and state and local governments to deploy strong, interoperable identity solutions. Reinvigorate government efforts to encourage the deployment of device and object relative authentication protocols such as domain name, internet protocol and border gateway protocol security.
Strengthen privacy protections for end users and increase awareness of risks: Formally adopting, perhaps through new laws, enhanced privacy protections for individuals in the identity ecosystem. For example, the government is considering requiring identity providers to abide by the Fair Information Practice Principles. This goal also includes working with the interagency working group that has been established to create a national awareness campaign for cybersecurity and ensure that trusted identities messaging is included in that campaign.
Manage the identity ecosystem: Establish the proper structures within government, including a program office to oversee implementation of the strategy and an industry advisory council, to ensure the long term success of the identity ecosystem. It also includes enhanced government participation in various international fora, including policy bodies and standards organizations.
The White House said the strategy focuses on improving the ability to identify and authenticate the organizations, individuals and underlying infrastructure - routers, servers, desktops, mobile devices, software, data - involved in an online transaction such as accessing electronic health records, banking online, making a purchase on the Net and sending an e-mail.
The identity authentication initiative comes out of the cyberspace policy initiative President Obama outlined in May 2009, and an interagency writing team overseen by the White House National Security staff developed the draft, after meeting with representatives of some 700 industry advisory councils and associations, including those representing privacy groups, state and local government, healthcare and financial services.
Members of the public can contribute their ideas on the initiative at www.nstic.ideascale.com through July 19. A final plan is expected to be issued in the fall.