A key component of the President’s National Strategy for Trusted Identities in Cyberspace (NSTIC), the pilot projects funded by NIST seek to catalyze a marketplace of online identity solutions that ensures the envisioned Identity Ecosystem is trustworthy and has the confidence of individuals. Using privacy-enhancing architectures in real-world environments, the NSTIC pilots are testing new methods for identification online for consumers that increase usability, security, and interoperability to safeguard online transactions.
The five NSTIC pilots are deploying innovative approaches to online identity management in financial services, retail, health, and education. Each is piloting secure, privacy-enhancing, and usable technologies that go beyond usernames and passwords to ensure trust, confidence, and ease-of-use. Brief descriptions of the pilots are below, highlighting the security technology component of each, along with contact information here at RSA. In some cases, demonstrations of the pilot security solutions are available in their respective exhibit hall booths. We invite you to engage our pilot participants on best practices and lessons learned in executing their projects, which we are hopeful will inform the broader community of security professionals at RSA and beyond.
Securing Online Finance and Retail: The Criterion Pilot and Wave Device Identity. The goal of the Criterion Systems pilot is to simplify online identity verification and increase online trust by verifying identity attributes for businesses and consumers in the financial services and online retail sectors, using interoperable credentials based on standards such as OpenID. Reflecting the need for improved account security for sensitive transactions, Criterion will make available to pilot partners the Wave Nodes solution, an endpoint identity service. Nodes is designed to improve the username and password model with a stronger, simpler, more secure, trust-based solution in the consumer’s device. Criterion pilot partners including Broadridge Financial Services, eBay, and General Electric will have access to the Nodes solution to provide secure attributes unique to the consumer's computer, tablet, or smartphone, providing an additional “factor” of authentication by binding the device to the user account. Relying parties benefit from reduced costs and increased security, confident that only registered devices can access verified accounts. Virtually transparent to the user, consumers benefit from more secure, privacy-enhancing, and user friendly access to multiple online services. For more information, please contact Andy Tarbox at atarbox [at] wave.com (atarbox[at]wave[dot]com). Nodes will be demonstrated at RSA in the Wave Systems Booth, # 1847.
Daon to Pilot Multifactor Authentication with American Seniors, PayPal Customers, Airport Executives. Daon is piloting secure and privacy-enhancing online access to customer applications offered by AARP (formerly the American Association of Retired Persons), the 38 million member senior citizens advocacy organization, leveraging TrustX/IdentityX, Daon’s risk-based, multifactor authentication technology solution hosted on mobile devices. The Daon pilot will examine the usability of a more secure, privacy-enhancing method for account access that instills customer trust in online transactions of consequence and sensitivity, such as access to health and financial information. In addition to AARP, PayPal, Purdue University, and the American Association of Airline Executives will pilot the use of these strong credentials, including exploring trust frameworks to enable interoperability. Purdue University will also assist in the assessment of usability, accessibility, security, privacy, performance, and user acceptance, key to the success of the Identity Ecosystem envisioned in the NSTIC. The onsite RSA contact at Daon is Conor White, President, X-Products, who can be contacted at conor.white [at] daon.com (conor[dot]white[at]daon[dot]com).
AAMVA Piloting Online Identity Verification to Enable State Services. The Cross Sector Digital Identity Initiative (CSDII), led by The American Association of Motor Vehicles (AAMVA) is developing technology that will demonstrate the acceptance of commercial identity provider credentials by Virginia state government, including securely verifying identities online with the Virginia Department of Motor Vehicles. The pilot plans to make this technology available for voluntary access to on-line state services over the course of the project. State governments, including Virginia, are exploring leveraging commercial identity providers for secure online access to state government websites as a means to improve customer service and reduce the costs associated with online identity management. In the case of sensitive government transactions, the credential is “leveled up” to higher assurances of identity verification and security. Pilot partner Microsoft is providing a secure, privacy-enhancing cloud identity service, Customer Partner and Identity Manager (CPIM), and OpenID-based interoperable Windows Accounts to pilot participants. The pilot will also explore increasing the security of the Windows Account and other pilot interoperable credentials by enabling the Biometric Signature ID multifactor authentication solution, BioSig-ID. The BioSig-ID solution measures unique behavioral characteristics as the user draws a password on the computer screen, deriving an additional factor of authentication to supplement user name and password and thereby increasing account security in a user friendly fashion. For more information on the AAMVA pilot, contact John Biccum at johnbic [at] microsoft.com (johnbic[at]microsoft[dot]com) and visit the Microsoft booth at RSA, #1616.
Internet2 Piloting Mobile Device Multifactor Authentication on University Campuses. The Internet2 Scalable Privacy Project (ScalePriv) contains several major efforts in identity and privacy, including a focus on attribute ecosystem development, citizen centric schema, privacy managers, anonymous credentials, and promoting the adoption of multi-factor authentication (MFA) across higher education institutions. Three pilot institutions (the University of Utah, the University of Texas System, and the Massachusetts Institute of Technology) will be exploring technical, business, and operational issues for MFA in both enterprise and federated environments. Integrations with the Shibboleth and CAS authentication systems will be deployed for access to high-risk applications, such as password administration, remote network access, server administration, and financial management. The university campuses will deploy the Duo Security smartphone based MFA technology, selected for easy of deployment, to secure account access. For more information, contact David Walker on the Internet2 pilot team at dhwprof [at] gmail.com (dhwprof[at]gmail[dot]com).
Resilient Enables Education Ecosystem Leveraging Out-of-Band Phone Authentication. The Resilient Trust Network Pilot for NSTIC is seeking to connect the school information system applications at several school districts in California to a broader identity ecosystem. This will enable parents’ access to their child’s school records and other content with greater security and privacy. One solution available through the ecosystem will be the out-of-band phone authentication service from Authentify, Inc. This service will be one option for elevating trust that the parent is the actual user accessing the child’s record. The Authentify service will call the cell phone number on file with the school and require that the parent confirm their request for the records by entering a one-time password displayed on screen. Employing a second-factor service trusted even by highly security-conscious institutions will help eliminate breaches of children’s privacy through improper uses of school information systems, in particular as online access becomes more widely adopted. For information, visit the Authentify booth in the RSA exhibit hall (Booth # 629).