I may have been a little hasty last week when I predicted that the National Strategy for Trusted Identities in Cyberspace may “never see the light of day,” and this week NSTIC head Jeremy Grant let me know it. Grant, the senior executive advisor for NSTIC, explained that while short term, low-level security methods that come out of NSTIC may rely on passwords in some form, the ultimate goal is to eliminate them all together – something he says is entirely possible by the program’s 2020 deadline.
“Passwords are a disaster from a security perspective,” Grant said. “We want to shoot them dead.”
Yet, right now, most of the Internet relies on passwords, and that is limiting the development of new technology and the deployment of innovative government programs. “Every year agencies come up with killer apps, but they don’t deploy them because they can’t verify the person on the other end,” Grant said. “Passwords aren’t secure enough for the agency to be sure that the person on the other end isn’t a proverbial dog on the Internet.”
Instead of a system where users have to remember dozens of passwords, Grant envisions identity management in the future being based on other models such as two-factor authentication or tokens. Passwords in some form may play a role, but it all depends on the level of data being protected.
The Office of Management and Budget has defined four levels of assurance, of which the different technologies being developed will serve. Agencies classify the four levels of authentication assurance according to the potential consequences of an authentication error. At level one, only a password is required. At level three, dual factor authentication comes into play, with something like an encrypted key software token required before access is granted. At level four, an actual hardware token would be required, such as a PIV card. According to Grant, level three is where most public-facing websites run by the federal government have the most need.
Most of what the NSTIC does is with the private sector. The pending launch of Connect.gov, where users of certain government websites would be able to use a shared credential given to them by a separate identity vendor like Google or PayPal, is just a way for government to take advantage of the increase in security the new technologies offer. It will only be used for low-level transactions, such as signing up for a newsletter or some other activity where a security breach would not be considered catastrophic for the end users. Grant described it as an interim step along the road to eliminating passwords.
“Connect.gov is really an easy button for government agencies to tap into these new technologies,” he said. “It will let users login to sites without much risk for low levels of assurance.” But the real focus is still to first add a second factor of authentication to passwords and then to eliminate them all together, he added.
Grant also explained that the government was not micromanaging the program through the NSTIC but mostly supporting companies trying to develop password-killing technology. “To a certain extent the government is not particularly concerned about the technology itself,” he said. “In fact, one of the worst things that we could probably do is to try and standardize on one thing and make everyone adopt it.” This supporting role has already gained some notable successes, with a handful of vendors already certified as approved identity services for various levels of assurance.
One solution Grant pointed out is ID.me, which was awarded $2.8 million to serve the veteran community with better authentication. “Everyone wants to give discounts and services to veterans, but how do organizations know if a person is a veteran without asking them to carry around their discharge papers?” Grant asked. “With ID.me it allows veterans to set up secure credentials that can be used to claim discounts at stores that offer them. We want to use that same credential to allow them to also log into the [Department of Veterans Affairs] to get access to their records.”
As someone who studies the evolving efforts to kill passwords once and for all, Grant is in a unique position to predict whether the NSTIC will be successful in reaching that long-term goal by 2020. “I think we will make it,” Grant said. “We are already seeing some major advancements with programs like Internet 2 deploying multi-factor authentication to hundreds of universities, and advancements from the FIDO (Fast IDentity Online) Alliance using the fingerprint readers and cameras in phones for authentication. There aren’t many technologies where you can point to the day they became ubiquitous, but I think with this we are getting very close to that tipping point.”