Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

It’s Not Just About Security; Identity is the Great Enabler

Last week, President Obama signed a new Executive Order calling for “all agencies making personal data accessible to citizens through digital applications” to “require the use of multiple factors of authentication and an effective identity proofing process.”  The President set a deadline of 18 months for agencies to comply.

Since the release of this Executive Order, the press has focused quite a bit on how it will improve the security of government sites, and help better protect the security and privacy of citizens’ data. It’s an important point – especially because the vast majority of data breaches are executed by exploiting the weaknesses of passwords. However, the benefits of improving identity go well beyond security. What is most exciting about this new Executive Order is how it will enable government to more effectively serve the American people through a wide array of new citizen-facing digital government applications.

Since the advent of the Internet in the 1990s, the vast majority of government websites have focused on low-value or passive applications – sharing general information about government activities and answering common questions about programs. But higher-value applications that enable citizens to have a truly personalized experience (e.g. transacting business with government or obtaining personal data) have largely been mired in the offline world.

The reason has been simple: higher value applications come with higher risk, so agencies will only offer a service online if there’s an easy way to ascertain whether the “person” on the other end of a transaction is really who he or she claims to be. Twenty-one years after the New Yorker proclaimed, “On the Internet, nobody knows you’re a dog,” we’re still dealing with certain services being stuck in the paper world because agencies can’t reliably authenticate identities online.

There’s nothing wrong with being a “dog” on the Internet, per se – the ability to be anonymous or pseudonymous online has been a hallmark of the Internet, and must continue to be. Conversely, there are times when the ability to assert your true identity online is essential to enabling high-value services – and ensuring that someone else cannot impersonate you.

Three and a half years ago, President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC). Targeted at the growing array of cybersecurity problems caused by passwords and other weak identity solutions, NSTIC called for the private sector to partner with government on the creation of an Identity Ecosystem – essentially a marketplace of stronger identity solutions that Americans could use in lieu of passwords to not only better protect their privacy and security online, but also to engage in new types of trusted transactions.

Identity is the great enabler here – if we have easy-to-use identity solutions that enable secure and privacy-enhancing transactions, we can enable citizens to engage with government in more meaningful ways. With a vibrant Identity Ecosystem – where citizens can use the same credential to access services at multiple sites – we can enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.

In the three and a half years since the NSTIC was first signed, the market has responded. Many private firms have started offering multi-factor authentication (MFA) to their customers, ensuring that the most commonly executed, password-centric attacks are no longer viable. And, through more than a dozen NSTIC pilots, the private sector has demonstrated material progress in advancing more secure, privacy-enhancing, easy-to-use identity solutions. It’s time for the government to make sure our own services are embracing the best the market now has to offer.

Last week’s Executive Order calls on three parts of the White House – the Office of Management and Budget, the Office of Science and Technology Policy, and the National Security Council – to craft a plan over the next 90 days detailing how agencies will comply with the Order. We at the NSTIC National Program Office (NPO) look forward to supporting the White House however we can as they move forward.

About the author

Comments

I suggest turning to our Experts on Identification, Monitoring, and Controlling access of both individuals, devices, interconnecting media,and executable programs. We discussed doing this 20 years ago when it was considerable more difficult with IPv3/4. Now with the technical advances provided with IPv6, the only real problem will be the same one we had and that is who is going to pick up the tab. Everyone said that we could not expect them to go to their BOD for the cost associated with securing the National Strategic Assets (now known as: Industrial critical systems etc.) on their network. Starting point may be specific IP/Mac address in conjunction with bio-implant.
Hi Howard: You seem to be suggesting IPv6 solves the identity problem and that it is mainly a question of who will pick up the tab. Although I'm not an IPv6 expert, I don't believe it does much to unambiguously confirm the identities of the remotely located persons. We can all agree that for low value transactions verifiable identities are not particularly necessary. However, when engaging in high value online transactions, collaborating services and persons need elevated identity assurances - i.e. "who's there? It seems to me we do not have an identity model and standards that overcome our current (dare I say) hodgepodge approach to identity and authentication across the web. I'd be curious to hear what you and others say about this.

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.