NSTIC director: 'We're trying to get rid of passwords'

The federal government's National Strategy for Trusted Identities in Cyberspace (NSTIC) program, set up this spring, is making progress against its goal of identifying and supporting more secure alternatives to simple passwords that the government as well as anyone else might use in authenticating to online applications.

"We're trying to get rid of passwords. It's time for something better," says Jeremy Grant, senior executive adviser at the National Program Office for NSTIC, located at the National Institute of Standards and Technology. The federal government, he says, can lead in working with industry on better types of authentication for large-scale use that may be deemed preferable to passwords. The next step in this project involves setting up a steering committee with industry to foster consensus on standards and guidelines, with a slew of pilot projects expected next year, based on current budget expectations.

IN DEPTH: Can the Obama administration fix your identity-management problems?

Though the budget process is not complete, the Obama administration has $25 million allotted for the NSTIC program, and out of that, "$17.5 million is for pilots," says Grant, adding, "We haven't published yet what the criteria will be." However, the idea at present is to conduct about half a dozen pilot projects for strong authentication, making the funds available perhaps through a grants process.

The ambitious NSTIC program envisions an "identity ecosystem" of the future where there will be established ways to clearly assess identity in issuing credentials through approved assessors. Grant says the government is looking to private industry to take the lead on that in general. And though there will likely need to be standards and specifications for any identity ecosystem, especially in order to foster interoperability, Grant says NIST won't be writing these standards but trying to play the role of "facilitating the creation of consensus-based standards."

Grant says "the government is uniquely qualified to tackle the problem" of ushering in ways citizens could use stronger authentication than passwords not only in their necessary interactions online with the government but also perhaps in business as well. But the private sector is being given the lead in technologies for this because under NSTIC, "we're trying to get the government out of the identity business." But he says the government does want to make sure whatever comes about is done with suitable privacy safeguards -- plus complex legal and policy issues may well have to be sorted out.

Grant acknowledges that in trying to find common ground on which the high-tech industry and privacy advocates such as the Center for Democracy and Technology can all somehow stand together isn't necessarily easy, noting it can feel like "one of the largest cat-herding challenges of all time." He adds "there will be no central database under NSTIC," though if the government adopts NSTIC-approved services in the future for its own use, there would probably be a need to keep an audit trail for purposes of security.

"We can be an early adopter," he says, noting this would help the government bring online applications to the public that it can't do today because a password is simply not strong enough authentication.

"Passwords not only don't help provide much security, in many cases they can put the consumer at risk," says Don Thibeau, chairman of the Open Identity Exchange (OIX), whose membership -- which includes Google -- interacts with the federal NSTIC program. (OIX was set up as a sister organization to the OpenID Foundation, for which Thibeau serves as executive director.)

There's a need for "Internet identity standards on an Internet scale," says Thibeau. OIX is presenting its ideas related to OpenID and OAuth specifications, and its membership is interested in participating in pilot projects under NSTIC. But Thibeau also expects to see the private sector doing a few of its own pilot projects later this year with OIX sponsoring some interoperability and security pilots between Google, AOL and Hotmail email systems. The goal is to try to "define best practices for security on a cross-platform basis." He adds: NSTIC is "challenging security architects to come up with new thinking."

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags National Institute of Standards and Technologysecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?