Last week marked three years since President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC). In the NSTIC, the President called for a new private-public sector partnership to create an Identity Ecosystem, where all consumers could choose from a variety of credentials that could be used in lieu of passwords to enable more secure, convenient and privacy-enhancing transactions everyplace they go online.
Looking back over the last three years, one thing that stands out is how much easier it has become to make people understand the problems with passwords – the recent Heartbleed bug is only the latest in a seemingly endless series of incidents highlighting this issue – and the need to embrace multifactor authentication as a way to protect themselves against attacks.
While it’s been great to see the marketplace respond with increased support for two factor authentication solutions – the reality is that consumers aren’t going to respond to an effort to replace the 25-30 passwords most of us manage today with 25-30 separate, stove piped two-factor solutions. We have to do better.
To truly improve security, we need to also improve convenience. And that requires interoperability of strong credentials – at both a technical and a policy level – enabling consumers to use (should they so choose) the same strong credential at multiple sites.
To that end, it was great to see more than 170 people gather in person at Symantec’s headquarters in Mountain View, California earlier this month – joined by another 70 online – for the 8th plenary meeting of the Identity Ecosystem Steering Group (IDESG). The IDESG was formed 20 months ago specifically to create a framework of standards, policies and business rules for the Identity Ecosystem that would enable this interoperability.
What stood out about this most recent meeting was how much progress the IDESG is making – in both committees and in the full plenary – on advancing the Identity Ecosystem Framework (IEF):
The role of the pilots in supporting the IDESG – and of the IDESG in supporting the pilots – continues to expand with each plenary. As both efforts advance, they are together helping to influence the marketplace, address barriers to marketplace adoption of better identity solutions, and create a framework to support a viable Identity Ecosystem.
Three years in there is still much work to be done – but there is also tremendous progress. With the IDESG incorporating as a formal not-for-profit corporation, the formal launch of the Federal Cloud Credential Exchange (FCCX) later this spring and a third round of NSTIC pilots set to launch in September, 2014 looks to continue to be a very exciting year.
We appreciate the efforts so many of you have made over the last three years – and look forward to working more with you over the months and years to come as we drive material improvements in the way we enable trusted identities in cyberspace. However much it pains us to see yet another failing of poor authentication systems, it only serves to validate our efforts to date and motivate us to work harder towards the NSTIC vision.
We look forward to seeing you all at the Ninth IDESG plenary, which we are pleased to host at NIST June 17-19.