recommended reading

EXCLUSIVE: New Aims to Consolidate Your Passwords


With high-profile hacks exposing the futility of passwords, alternatives such as biometric identification and two-step verification are gaining popularity. 

Waiting in the wings is a login network that could grant users access to many of their Internet accounts with a single registration. 

The National Strategy for Trusted Identities in Cyberspace is the planning ground for this system, where users will not have to release personal information or create new passwords to log on to multiple websites. A “trusted” third-party -- such as Verizon or PayPal -- would register your personal information once to create a password, fingerprint scan or other account-login mechanism. Each time you wanted to sign in to H&R Block or another online vendor, for example, you would enter that same ID. 

The vision is not expected to be fully realized until after 2020. But one part of the network is slated to debut as early as next month, NSTIC head Jeremy Grant told Nextgov. Launches at VA, but not IRS -- Yet

The U.S. government's piece of the ecosystem will be called, a login screen for citizens that ultimately will pop up on every secured federal form and website, according to agency planners. The name of the new initiative has not been publicly announced. The tool, ultimately, will validate credentials from a variety of approved ID providers, such as Google. "is going to launch with a few key anchor agencies that will be testing it out in the first round," including the Department of Veterans Affairs, Grant said. The IRS, one of the most high-traffic federal sites, will not use the security system. A big wave of other agencies is expected follow within the next 18 to 24 months, he said. 

"The goal from the White House is that this quickly grows into a governmentwide shared service that all agencies are using -- across all government sites," Grant said of "It’s basically production ready right now and agencies are doing integration testing."

The U.S. Postal Service will operate the backbone of the tool -- currently named the Federal Cloud Credential Exchange. It's a piece of infrastructure that will allow agencies to tap a large assortment of credentials managed by the ID providers. 

The General Services Administration is handling contracts between the vendors and agencies.

The exchange will allow agencies to access digital credentials for various levels of ID security “through a common platform so they can provide a wide range of services and applications to citizens,” GSA spokeswoman Jackeline Stewart said in an email. “VA is just one agency using the program for their applications.”

She said more information on features will be released “when we launch later this year."

The IRS supports the concept of the exchange and plans to incorporate it “in the coming years,” the tax agency told Nextgov in a statement. “It is important to note that reductions in IRS' budget” -- a total of $850 million since 2010 – “have stretched IT and other resources across the agency.”

NIST Faces New Questions After NSA Encryption Revelations

The long-term NSTIC approach is being guided by the National Institute of Standards and Technology. The government affiliation has raised questions about the program's integrity, however. The National Security Agency reportedly pressured NIST into weakening a widely used cryptographic standard so NSA could break into private communications, a revelation that cast NIST as an accomplice to NSA surveillance. And it did nothing to quell criticism that NSTIC might become a big brother national ID card recording a citizen’s every point and click.

Grant, who is the NIST senior executive adviser for ID management, acknowledges he has received more questions about the government’s participation in NSTIC in recent months. But he insists it is a nonissue among the initiative's diverse industry partners. 

For starters, the program's private sector-led steering group consists of entities often considered adversaries in the online privacy debate -- AARP, LexisNexis, Microsoft and both the American Civil Liberties Union and NSA. The steering group will soon be spun off into a nonprofit, according to members.

"Despite the concerns and the outrage over some of the other stories coming out, by and large, the folks that we’ve been working with recognize that NSTIC is a strategy," Grant said. "It calls on the private sector to help develop something, and the government actually doesn’t have control here. We’re not building any new system. We’re not trying to set up a central database."

He says the outcome of the project will be the opposite of snooping. "Any time the government’s involved in these things [people] may have concerns, but they are also excited about what we are trying to do, which is partnering with the private sector to ultimately deliver better privacy and security," Grant said. 

Wider Acceptance Could Take Years

NIST,, the Federal Cloud Credential Exchange and NSTIC will not store any personal information. The government is not running NSTIC, but rather arranging meetings and small grants for the companies that manage the technology, Grant said. 

NSTIC, for example, awarded $2.8 million to credential-creator As a result, a retired military member now can register online for a single login -- and then sign in to any of a number of sites that offer discounts on Uber car rides, free shipping at and other perks. 

"That same credential, once the Federal Cloud Credential Exchange goes live, should also be able to be used at the Department of Veterans Affairs to log into the My portal -- and download health information," Grant said. 

The steering group is expected to announce additional grants and pilot programs later this week. officials say their user-base will reach 2 million people by the end of 2014. 

Still,, PayPal, and other outside logins are not anticipated to be widely accepted for years, because compatibility will require a new regime of security standards, liability policies and business rules.

The actual tools are the least of the holdups. 

"There is no shortage of technologies, but if most of the businesses I’m dealing with online aren’t going to actually allow me to use it when I log in, then it’s not really worth anything to me," Grant said. 

For example, will Apple and Amazon let users log into their apps with a Google ID? 

Some Legal Questions Remain Unresolved

Aside from branding issues, there are legal questions. "What happens if something’s compromised and something’s lost?" Grant said. "Who is actually liable? A lot of things can be addressed through standard contract terms."

He compares the online login system to the traditional payment card system. 

"I’ve got two VISA cards in my wallet. One from U.S. Bank. One from Chase," Grant explained. "If I go down to the Starbucks around the corner and buy a cup of coffee, they could care less which card I present, because both of them have the VISA logo on it. And it’s not just a shiny logo. It’s a 'trust mark' that stands for a whole bunch of standards and operating rules behind the scenes that govern everything from how the card is produced in a secure environment, how it's authenticated at the point of sale . . . how many days it will take for Starbucks to get paid by the bank.”

The login system, like the payment system at Target and any other networked system, is bound to be hacked at some point. The unresolved issue for the ID strategy is who becomes responsible for losses. 

With payment systems, there are "rules in place that allocate liability between the consumer, the merchant and the issuing bank," Grant said. "We don’t have anything that’s like that for online credentialing" -- yet.

(Image via Florida3d/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.