NIST Leads the Charge on Online Authentication

It's been a long time coming. After any number of heavy-handed approaches to online identity management, the federal government looks like it is trying a more enlightened approach. Last week the White House announced that the Commerce Department will be in charge of developing identity systems for the internet. This is not an easy nut to crack --- but assigning Commerce, and its technical sidekick, the National Institute for Standards and Technology (NIST), is definitely a move in the right direction. Having an agency that knows about working with business, and a lab that knows about working with industry to develop technical standards, is the right move.

A decade ago, industry began developing identity systems for "single sign-on" online identity management. Authenticate yourself once and you could travel around the network with ease, having proved you were who you said you were. But these early systems had problems. Microsoft's Passport system centralized all the data -- creating privacy problems -- and was eventually abandoned, while the Liberty federated system effort driven by Sun Microsystems was aimed more at satisfying corporations' needs than those of individuals (full disclosure: I worked on the Liberty system while I was at Sun). Success was elusive. The broader problem of simple, easy, secure, privacy-preserving online authentication for everyday use remained unresolved.

Bits and pieces were suggested. When blogging -- and commenting -- developed, sites sought a lightweight identity system, and OpenID fit the spot. Frequently based on email addresses, these identity mechanisms were easy to use -- but quite a bit less than fully secure. The need for simple, easy, secure, privacy-preserving online authentication did not go away. Indeed, with more and more critical infrastructure online, and high-level cyberexploitations of U.S. industry, the need for such authentication was increasing. OpenID did not fit the bill. But while Defense Department online authentication solutions might solve security issues, they don't provide simple, easy, secure, privacy-preserving online authentication for everyday use.

The issue is that there are many needs for online authentication, from protecting the control structure of the electric power grid, to authenticating the user who is buying a pair of jeans at L.L. Bean. That is exactly the point. Authentication to access critical infrastructure should be highly secure and robust. Authentication to leave a comment on a blog should be simple and easy to use. Authentication for someone to access their online medical records should be easy to use and secure; authentication for a doctor to access all her patients' records should be easy to use and highly secure. And some things shouldn't be authenticated. Some people really enjoy Amazon's book recommendations, while others want to be able browse the "shelves" anonymously. The latter might not be easy to do -- even with cookies shut off, your browser provides a "fingerprint" of who you are -- but there are plenty of people who want a fair bit of anonymity as they traverse the network, and there are plenty of times that such anonymity is more than appropriate.

Now industry doesn't have all the answers (and tracking shows that the public and industry will often diverge in interests). But industry does care about building products that the public wants. In cryptography NIST's Information Technology Lab has shown it can manage a process that results in trusted security standards supported by government and industry. So putting Commerce and NIST in the forefront of developing online authentication standards is a belated but useful first step for providing online authentication solutions.