NSTIC pilots provide real world options for identity management

By: William Jackson
March 6, 2015

Facebooktwitterredditpinterestlinkedinmail

As NIST opens a new round of pilot grants for identify verification schemes, a number of earlier NSTIC pilots already have proved their worth in solving the knotty problem of managing identities online.

The National Institute of Science and Technology has announced its fourth round of grants to fund pilot programs for innovative identity verification schemes. The program provides seed money to further the National Strategy for Trusted Identities in Cyberspace (NSTIC), which addresses the knotty problem of managing identities online.

Because online IDs are critical to commercial and governmental transactions in today’s digital economy, identity management is a high-risk, high-reward area that can use a federal jumpstart to move innovative ideas into the marketplace, said Jeremy Grant, outgoing director of the NSTIC National Program Office, which is housed at NIST.

“Some pilots may fail, and this okay,” Grant said. Those programs that succeed can move the ball forward in creating a secure, easy-to-use online identity ecosystem.

The first round of grants was awarded in 2012, and several pilots already have proved themselves. TroopID was launched in 2012 to perform one task: Verify the status of military veterans so that they could take advantage of services, discounts and other perks offered to vets. The band KISS used the service for advance ticket sales to vets. ToopID has evolved to ID.me to make online shopping discounts available to members by verifying their status in eligible groups.

ID/Dataweb is an Attribute Exchange Network that started life with an NSTIC pilot. The subsidiary of Criterion Systems enables the exchange of only the appropriate attributes needed for an authentication, allowing users to establish the needed level of identity without sacrificing privacy.

Managing identity online has proved to be a surprisingly challenging task. The default scheme for several decades has been user ID/password, which in theory should work just fine. Passwords can be made secure, they are easy to manage on the back end, and easy for users to create for themselves on the front end. The problem is one of scale. Users managing dozens or scores of passwords either quickly lose track of them or reduce their security by reusing the same simple passwords. Organizations managing passwords for thousands of accounts quickly become swamped by password reset requests. Single or reduced sign-on schemes that provide access to multiple accounts through a single tool or account, offer some promise but have their own drawbacks, including the need for widespread support from service providers, concerns about privacy and tracking, and the threat of a single point of failure.

So NSTIC was launched to advance creation of a secure identity ecosystem built on multiple solutions that are voluntary, secure, interoperable, cost-effective, and user friendly.

The program has received more than 300 grant proposals in the past three years, Grant said. The coming round will fund several pilots with from $1 million to $2 million a year for up to two years. The pilots are not for research and development, but to move existing technologies into the marketplace that otherwise would not get the opportunity. First-round abbreviated applications are due by March 17. Those passing the first round will be requested to file full applications. Details are available at Grants.gov.

One of the major challenges faced by new identity management solutions is not technical, but business, Grant said. It is difficult to get major online service providers to commit to trusting shared credential from third party providers. It is not that they are unwilling to off-load some of the identity management burden to another party, but there are business and legal concerns in adopting a new scheme. That means that to succeed, pilot programs must offer not only secure and reliable technology, but also a compelling business model for their customers.