recommended reading

EXCLUSIVE: New Connect.gov Aims to Consolidate Your Passwords

Florida3d/Shutterstock.com

With high-profile hacks exposing the futility of passwords, alternatives such as biometric identification and two-step verification are gaining popularity. 

Waiting in the wings is a login network that could grant users access to many of their Internet accounts with a single registration. 

The National Strategy for Trusted Identities in Cyberspace is the planning ground for this system, where users will not have to release personal information or create new passwords to log on to multiple websites. A “trusted” third-party -- such as Verizon or PayPal -- would register your personal information once to create a password, fingerprint scan or other account-login mechanism. Each time you wanted to sign in to H&R Block or another online vendor, for example, you would enter that same ID. 

The vision is not expected to be fully realized until after 2020. But one part of the network is slated to debut as early as next month, NSTIC head Jeremy Grant told Nextgov.

Connect.gov Launches at VA, but not IRS -- Yet

The U.S. government's piece of the ecosystem will be called Connect.gov, a login screen for citizens that ultimately will pop up on every secured federal form and website, according to agency planners. The name of the new initiative has not been publicly announced. The tool, ultimately, will validate credentials from a variety of approved ID providers, such as Google.

Connect.gov "is going to launch with a few key anchor agencies that will be testing it out in the first round," including the Department of Veterans Affairs, Grant said. The IRS, one of the most high-traffic federal sites, will not use the security system. A big wave of other agencies is expected follow within the next 18 to 24 months, he said. 

"The goal from the White House is that this quickly grows into a governmentwide shared service that all agencies are using -- across all government sites," Grant said of Connect.gov. "It’s basically production ready right now and agencies are doing integration testing."

The U.S. Postal Service will operate the backbone of the tool -- currently named the Federal Cloud Credential Exchange. It's a piece of infrastructure that will allow agencies to tap a large assortment of credentials managed by the ID providers. 

The General Services Administration is handling contracts between the vendors and agencies.

The exchange will allow agencies to access digital credentials for various levels of ID security “through a common platform so they can provide a wide range of services and applications to citizens,” GSA spokeswoman Jackeline Stewart said in an email. “VA is just one agency using the program for their applications.”

She said more information on features will be released “when we launch later this year."

The IRS supports the concept of the exchange and plans to incorporate it “in the coming years,” the tax agency told Nextgov in a statement. “It is important to note that reductions in IRS' budget” -- a total of $850 million since 2010 – “have stretched IT and other resources across the agency.”

NIST Faces New Questions After NSA Encryption Revelations

The long-term NSTIC approach is being guided by the National Institute of Standards and Technology. The government affiliation has raised questions about the program's integrity, however. The National Security Agency reportedly pressured NIST into weakening a widely used cryptographic standard so NSA could break into private communications, a revelation that cast NIST as an accomplice to NSA surveillance. And it did nothing to quell criticism that NSTIC might become a big brother national ID card recording a citizen’s every point and click.

Grant, who is the NIST senior executive adviser for ID management, acknowledges he has received more questions about the government’s participation in NSTIC in recent months. But he insists it is a nonissue among the initiative's diverse industry partners. 

For starters, the program's private sector-led steering group consists of entities often considered adversaries in the online privacy debate -- AARP, LexisNexis, Microsoft and both the American Civil Liberties Union and NSA. The steering group will soon be spun off into a nonprofit, according to members.

"Despite the concerns and the outrage over some of the other stories coming out, by and large, the folks that we’ve been working with recognize that NSTIC is a strategy," Grant said. "It calls on the private sector to help develop something, and the government actually doesn’t have control here. We’re not building any new system. We’re not trying to set up a central database."

He says the outcome of the project will be the opposite of snooping. "Any time the government’s involved in these things [people] may have concerns, but they are also excited about what we are trying to do, which is partnering with the private sector to ultimately deliver better privacy and security," Grant said. 

Wider Acceptance Could Take Years

NIST, Connect.gov, the Federal Cloud Credential Exchange and NSTIC will not store any personal information. The government is not running NSTIC, but rather arranging meetings and small grants for the companies that manage the technology, Grant said. 

NSTIC, for example, awarded $2.8 million to credential-creator ID.me. As a result, a retired military member now can register online for a single ID.me login -- and then sign in to any of a number of sites that offer discounts on Uber car rides, free shipping at Overstock.com and other perks. 

"That same credential, once the Federal Cloud Credential Exchange goes live, should also be able to be used at the Department of Veterans Affairs to log into the My HealtheVet.gov portal -- and download health information," Grant said. 

The steering group is expected to announce additional grants and pilot programs later this week.

ID.me officials say their user-base will reach 2 million people by the end of 2014. 

Still, ID.me, PayPal, and other outside logins are not anticipated to be widely accepted for years, because compatibility will require a new regime of security standards, liability policies and business rules.

The actual tools are the least of the holdups. 

"There is no shortage of technologies, but if most of the businesses I’m dealing with online aren’t going to actually allow me to use it when I log in, then it’s not really worth anything to me," Grant said. 

For example, will Apple and Amazon let users log into their apps with a Google ID? 

Some Legal Questions Remain Unresolved

Aside from branding issues, there are legal questions. "What happens if something’s compromised and something’s lost?" Grant said. "Who is actually liable? A lot of things can be addressed through standard contract terms."

He compares the online login system to the traditional payment card system. 

"I’ve got two VISA cards in my wallet. One from U.S. Bank. One from Chase," Grant explained. "If I go down to the Starbucks around the corner and buy a cup of coffee, they could care less which card I present, because both of them have the VISA logo on it. And it’s not just a shiny logo. It’s a 'trust mark' that stands for a whole bunch of standards and operating rules behind the scenes that govern everything from how the card is produced in a secure environment, how it's authenticated at the point of sale . . . how many days it will take for Starbucks to get paid by the bank.”

The login system, like the payment system at Target and any other networked system, is bound to be hacked at some point. The unresolved issue for the ID strategy is who becomes responsible for losses. 

With payment systems, there are "rules in place that allocate liability between the consumer, the merchant and the issuing bank," Grant said. "We don’t have anything that’s like that for online credentialing" -- yet.

(Image via Florida3d/Shutterstock.com)

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.