The draft national strategy for building a new "identity ecosystem" that the Obama administration released June 25 would accomplish that, according to its developers. The ecosystem would base authentication on trusted digital identities instead.
The plan, named the National Strategy for Trusted Identities in Cyberspace, would lay a blueprint for an online environment in which online transactions for both the public and private sectors are more secure and trusted. The strategy identifies the federal government as "primary enabler, first adopter and key supporter" of the identity ecosystem.
In the language of the strategy, "In the envisioned identity ecosystem individuals, organizations, services and devices would be able to trust each other because authoritative sources establish and authenticate their digital identities." What that means in real terms is that trusted providers, such as a bank, would issue security credentials that would then be accepted by other online resources such as social networking sites and e-mail providers. Rather than using a user name and password, the person would have the crediential on a device that would authenticate his or her identity to the computer and, by extension, give access to services that accept the credential. The strategy includes references to smart cards, USB drives, mobile devices, software certificates and trusted computing modules as possible authentication technologies.
The strategy provides a hypothetical case of of a woman whose husband has recently been in the hospital. She is able to access his medical information using her cell phone because everyone involved in the information exchange uses a "trustmark" that signifies they adhere to the identity ecosystem framework.
The woman would have established her digital identity when she subscribed to a cell phone service plan, and the phone carrier would have verified her identity based on defined standards and issued her a credential on her cell phone that she could use within the ecosystem. The hospital and her husband's primary care provider, in turn, would have validated and maintained the appropriate attributes needed to release the information. And at the very beginning of the process, her husband would have provided her name and phone number to the hospital and signed the needed documents to authorize release of his information.
"No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to log into various online services," White House Cybersecurity Coordinator Howard Schmidt said in a post on the White House blog. "Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable and privacy-enhancing credential…from a variety of service providers -- both public and private -- to authenticate themselves online for different types of transactions."
Schmidt's office has been leading the effort and will continue to do so. The Homeland Security Department is collecting public comments on the plan through July 19. Schmidt said the strategy will be finalized this fall.
Officials say participation in the identity ecosystem must be voluntary. The draft document breaks the ecosystem down into execution, governance and management layers and explains how individuals, companies and government would benefit from that online environment. For example, the document says individuals would get more security, efficiency, privacy and choice.
The document says goals for the strategy are to:
Develop a comprehensive identity ecosystem framework.Put in place an interoperable identity infrastructure aligned with the identity ecosystem framework.Bolster willingness to participate in that ecosystem.Ensure the long-term success of the ecosystem.The strategy also lays out high-level priority actions:
Designate a federal agency to lead the public/private sector efforts. Develop a shared, comprehensive public/private sector omplementation plan.Accelerate the expansion of federal services and policies that align with ecosystem.Work among industry and government to put enhanced privacy protections in place.Coordinate the development of risk models and interoperability standards.Deal with liability worries of people and service providers.Perform outreach and awareness activities.Continue collaborating in international efforts.Identify other ways to push for adoption of the identity ecosystem nationwide."There is a compelling need to address these problems as soon as is practical, making progress in the short term and planning for the long-term," the document concludes. "For the nation to realize the vision of this strategy and associated benefits, all stakeholders must come together in a collaborative partnership."
Microsoft Releases ADFS 2.0Peter Jackson Reportedly Negotiating To Direct ‘The Hobbit’