NIST aims to boost ID ‘ecosystem’ to help end passwords
The federal program trying to promote stronger online ID security and alternatives to the password has issued draft guidance for organizations that want to adopt a common login so users can access all their services from a single online account.
Federated ID is a service which lets users access multiple sites or services via a single third-party login credential. While most people know this from logging into a website via Facebook or LinkedIn, government techies envisage a high-security version usable for financial services and healthcare providers.
“Any time you want to access a service online, you have to create a new account, submit your personal information and choose a password,” said David Temoshok, a senior advisor with the National Institute of Standards and Technology’s Trusted Identity Initiative Group, which published the draft guidance last week.
“I don’t know about you, but I have as many as 50-75 of these accounts at any given time,” said Temoshok. Although users are supposed to choose unique passwords for each account, and eschew proper names or dictionary words, few do. The result is the reuse across multiple accounts of weak passwords — and a criminal cornucopia for hackers.
A trust framework
Even if accounts are only secured with a password, the hope is that users will employ better passwords if they have fewer of them.
“For the service providers, they get to avoid the cost [and risk] of redundant ID management services,” Temoshok told CyberScoop in a telephone interview. “For the user … it streamlines the process.”
He gave as examples of existing ID federations InCommon, which dubs itself the “U.S. education and research identity federation,” and SAFE-BioPharma, which says it was “Created by the biopharmaceutical industry and its regulators to provide global high-assurance identity trust for cyber-transactions.”
The new NIST guidance is “not a how-to guide, but it shows organizations that are thinking about [federated ID] what kind of questions they should be asking,” he said. Like what the security rules should be for organizations that rely on each others’ ID verification procedures.
“Different levels of rigor [in ID and credential provisioning] provide different levels of assurance,” he said, adding that companies needed to tailor their procedures depending on the kind of services they provided and how damaging a successful hack would be.
“What risks are your services exposing users to?” asked Temoshok, saying organizations had to make sure that the federated ID authentication process they used was “appropriate” for that level of risk.
“What are your verification procedures” when the federated account is created? “What is the strength of the credential that’s issued?… How strong is the binding” that attaches it to the individual being identified?
“There’s not a standard format, template or set of rules,” he said. “It should all be tailored depending on the types of user and the types of transactions.”
The rules for how a particular federation will operate are dubbed a “trust framework” by the NIST guidance, which also provides advice about policing that trust.
Proving you’re ‘you’ on the Internet
Five years ago, the Obama administration launched an ambitious plan to create an online identity market. The National Strategy for Trusted Identities in Cyberspace envisaged the creation of an “ID ecosystem,” in which third party credential providers would offer ID-registration and authentication services to consumers and the companies trying to sell services to them.
Users would choose (and pay for) a federated ID provider who would then securely vouch for their identity to a growing set of online services.
But Temoshok acknowledges that the ID ecosystem hasn’t taken off the way the government wanted. “We haven’t seen the proliferation [of federated ID] that we’d hoped,” he said.
The guidelines are an effort to promote federated ID by emphasizing its flexibility, Temoshok said.
“We would like to see more commonality” between federated ID systems, he said, “But we also recognize that they’ll be established within discrete communities and according to their needs.”