The nation's wireless carriers, the state of North Carolina and several online stores have been awarded $3 million in federal grants to do away with passwords and offer consumers other options to securely access online services, Commerce Department officials have announced.
The National Strategy for Trusted Identities in Cyberspace is seeding an industry-led initiative to build a better login.
The three pilot projects are intended to lay the foundation for a global ID exchange, where an Internet user would register for a single login credential that would work for any number of common transactions, such as online banking, booking train tickets and video streaming.
One project described by federal officials would harmonize subscriber sign-in mechanisms across the four major U.S. wireless networks, so that a smartphone user's mobile number and the data contained in the device's secure SIM card could be used to prove identification. GSMA, a mobile trade association, will lead the effort along with four major mobile carriers. Although not specifically named, the four largest U.S. carriers are Verizon, T-Mobile, AT&T and Sprint.
Another project called "Confyrm" will devise a way to flag login fraud, which would limit any potential ID theft or data breaches, according to Commerce officials. The participants include an undisclosed major Internet email provider, major mobile network and multiple e-commerce sites.
"Most companies don't make a habit of announcing what security solutions they are using, since doing so might be helpful to adversaries," NSTIC program lead Jeremy Grant said in an email to Nextgov to explain the secrecy. "The Confyrm partners did not want their names out there. At some point we may get permission to share."
In North Carolina, agencies will demonstrate how driver's licenses or other existing personal credentials can be used to essentially "sign off" on online transactions. Biometric ID provider MorphoTrust is teaming with the state's departments of transportation and health and human services on the initiative, officials said. Under the pilot, eligible residents will use data on their driver's licenses to apply for food stamps online, eliminating the need to visit an office for enrollment.
White House Cyber Czar: This is Not Big Brother
Since its inception in 2011, NSTIC has distributed three rounds of grants. Commerce's National Institute of Standards and Technology manages the program, but U.S. officials say the private sector is creating the technologies and handling the personal information -- not the government.
Privacy advocates have been leery of the government's association with the program, following revelations of mass domestic cyberspying. They do not want the technology morphing into a national ID card that makes it easy for feds to track anyone’s activities.
Despite unease about big brother, White House cyber czar Michael Daniel told Nextgov there is no cause for concern about the government's hand in password alternatives, .
"The government's role in this was very minimal," he said during a brief interview Tuesday. "It was actually as a convener, and the solutions are actually coming from private-sector companies. And in fact, our whole goal with this has been to actually get the marketplace going. This is not a government solution for a problem. This is really us trying to spark the market to actually have a solution to a set of problems."
As previously reported, the federal government is launching a service as early as October that will let citizens access various dot-gov applications using the same sign-in credentials. Through "Connect.gov," users could enter, for example, their Gmail credentials to open various agency webpages that are behind firewalls, such as veterans' health records.
"Connect.gov is an important piece" of NSTIC, Daniels said. "You'll be seeing more from us over the next couple of months as we work on making that and rolling out some of those technologies and multifactor authentication and other things on more government websites."
NSTIC, in part, seeks to break down corporate barriers that so far have prevented more widespread adoption of password alternatives, including compatibility, liability, usability and privacy.
"The projects that industry and government have piloted under NSTIC are really starting to demonstrate results," Daniel said in a speech this week at a cybersecurity conference. "They are moving into the development stage where there are real workable solutions and not just PowerPoint or vaporware."
Still, it could be well beyond 2020 before an online ID exchange is fully propped up because policy and technical agreements will take time.
"Someone mentioned to me recently, if it only took us eight years to put someone on the moon. It's a little strange that we haven't been able to manage to implement stronger authentication and access in three decades," Daniels said. "One of our biggest priorities, one where we think there is a major role for the private sector to play, is killing the password dead."