The White House has outlined a national strategy for trusted digital identities that could ultimately eliminate the username-and-password
model and lay the groundwork for a nationwide federated identity infrastructure.
Howard Schmidt, cybersecurity coordinator and special assistant to the president, unveiled the administration's strategy for what he called an identity ecosystem for users and organizations to conduct online transactions securely and privately
such that identities of all parties are trusted.
For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily
choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers -- both public and private -- to authenticate themselves online for
different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.), Schmidt blogged late last week.
The new National Strategy for Trusted Identities in Cyberspace [pdf]
(NSTIC) draft paper is open for public comment and input until July 19.
The paper, a product of the White House's cybersecurity policy review last year, was created with input from government agencies, business leaders, and privacy advocates. Among other things, it calls for designating a federal agency to lead the public-private
sector efforts to implement the blueprint, and for the federal government to lead the way in the adoption of secure digital identities.
The Holy Grail of trusted online authentication -- a so-called high-assurance authentication vouching for the identity of a banking customer conducting a transaction online, for example -- has yet to take off. No one has stepped up to the
plate to vouch for identities ... a Bank of America or a high-assurance provider to make all of this work, says Gartner's Avivah Litan, adding we may never get systems in the U.S. to say an online user is who he or she says he is, she adds. They may
not want to assume the liability and pay you if they are wrong, she says.