News this week that the National Strategy for Trusted Identities in Cyberspace (NSTIC) is finally moving forward didn’t cause much of a splash, and there’s a chance it never will.
The program was originally announced by the Obama administration in 2010 as a way to implement the goals put forward in the Cyberspace Policy Review. Then White House Cybersecurity Coordinator Howard Schmidt explained that NSTIC was a comprehensive strategy to move away from user-ID password authentication. “There is a business requirement to do security,” Schmidt said at the time. “We must ensure the ability to conduct transactions…[and] interact with the government in a very secure manner, where private and civil liberties are protected — and you can only do that with some of these things we’re looking at from an ID perspective.”
In other words, he was saying: Standard password protection is dead.
The idea behind NSTIC, however, is not to actually eliminate passwords but to simply consolidate them behind a handful of trusted vendors. You can probably see the potential problem with this, but let’s explore how the system would work in a perfect world.
First, several companies would be designated as trusted vendors. One mentioned a lot is PayPal, though Apple and its upcoming Apple Pay will likely want to get involved too, and so will Google and quite a few others. But PayPal is a great example because it is already using the handoff type of password technology proposed by the NSTIC.
PayPal keeps its user’s credentials locked down pretty tight. According to its latest commercial, they’re stored in a titanium vault guarded by ninjas. I’m not sure that’s an accurate description, but to my knowledge they have never been mass hacked.
The interesting part is how people can use PayPal to pay for things online. When a store offers to let people pay using PayPal, customers enter their e-mail addresses and their PayPal passwords. A VPN opens up between the two entities, and PayPal verifies that the money is available and then transfers it to the store without passing user data from PayPal back to the store. If someone later hacks the merchant, users who connected using PayPal won’t be affected.
For NSTIC, the idea would be about the same with a plan called Connect.gov. Any government site requiring users to log in to access sensitive or personal information would see a popup asking for credential information stored at a trusted vendor. The user would enter account information and a password, and the trusted vendor would verify that they are who they say. Thereafter, at least for that session, they would be able to use the government site and see whatever information they are allowed to access. The government would retain no information about the user, so if a government site gets hacked, that user would be fine so long as they used Connect.gov to gain access.
A test program is being launched at the Department of Veterans Affairs. Depending on how that goes, more agencies could follow, but the full system is not expected to be online until 2020 or later. The U.S. Postal Service will be the primary agency charged with making it all work for feds, acting as a bridge between government and the trusted ID providers.
So, what could go wrong? Potentially a lot, starting with the fact that at its core, this is still a password-based system. With so many potential trusted ID vendors, the likelihood of one of them getting hacked is, sadly, pretty high.
In this case, should one of those trusted vendors get hacked, the attacker would then have access to potentially every government and commercial site that is part of the program. That’s likely why the IRS is reportedly resisting joining the NSTIC collation, despite a recent case study published by NSTIC saying that the agency could save $305 million each year if it gets on board.
Another thing working against this program is the fact that traditional business rivals will need to work together and accept each other as trusted partners. That means that Microsoft might need to accept that Google is a valid trusted vendor. Apple and Samsung might even have to work together. And speaking of Samsung, what about companies that exist primarily outside of the United States? Should credentials collected by them be valid to access a government site? Questions like that are probably pushing the program’s implementation until 2020 and beyond, though the technology to do it technically exists right now.
And finally, 2020 is a long way off, especially in terms of technology. By the time this all gets hashed out, passwords may truly be obsolete, having been replaced by something else. There is a lot working against a program like this and possibility it will never see the light of day.