The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password model and lay the groundwork for a nationwide federated identity infrastructure.
Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity ecosystem for users and organizations to conduct online transactions securely and
privately such that identities of all parties are trusted.
For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can
voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate
themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.), Schmidt blogged late last week.
The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the
public-private sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.
The Holy Grail of trusted online authentication -- a so-called high-assurance authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. No one has stepped up to
the plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work, says Gartner's Avivah Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she
adds. They may not want to assume the liability and pay you if they are wrong, she says.