VA.gov, other federal sites will accept universal credentials starting this fall.
With high-profile hacks exposing the futility of passwords, alternatives such as biometric identification and two-step verification are gaining popularity.
Waiting in the wings is a login network that could grant users access to many of their Internet accounts with a single registration.
The National Strategy for Trusted Identities in Cyberspace is the planning ground for this system, where users will not have to release personal information or create new passwords to log on to multiple websites. A “trusted” third-party -- such as Verizon or PayPal -- would register your personal information once to create a password, fingerprint scan or other account-login mechanism. Each time you wanted to sign in to H&R Block or another online vendor, for example, you would enter that same ID.
The vision is not expected to be fully realized until after 2020. But one part of the network is slated to debut as early as next month, NSTIC head Jeremy Grant told Nextgov.
Connect.gov Launches at VA, but not IRS -- Yet
The U.S. government's piece of the ecosystem will be called Connect.gov, a login screen for citizens that ultimately will pop up on every secured federal form and website, according to agency planners. The name of the new initiative has not been publicly announced. The tool, ultimately, will validate credentials from a variety of approved ID providers, such as Google.
Connect.gov "is going to launch with a few key anchor agencies that will be testing it out in the first round," including the Department of Veterans Affairs, Grant said. The IRS, one of the most high-traffic federal sites, will not use the security system. A big wave of other agencies is expected follow within the next 18 to 24 months, he said.
"The goal from the White House is that this quickly grows into a governmentwide shared service that all agencies are using -- across all government sites," Grant said of Connect.gov. "It’s basically production ready right now and agencies are doing integration testing."
The U.S. Postal Service will operate the backbone of the tool -- currently named the Federal Cloud Credential Exchange. It's a piece of infrastructure that will allow agencies to tap a large assortment of credentials managed by the ID providers.
The General Services Administration is handling contracts between the vendors and agencies.
The exchange will allow agencies to access digital credentials for various levels of ID security “through a common platform so they can provide a wide range of services and applications to citizens,” GSA spokeswoman Jackeline Stewart said in an email. “VA is just one agency using the program for their applications.”
She said more information on features will be released “when we launch later this year."
The IRS supports the concept of the exchange and plans to incorporate it “in the coming years,” the tax agency told Nextgov in a statement. “It is important to note that reductions in IRS' budget” -- a total of $850 million since 2010 – “have stretched IT and other resources across the agency.”
NIST Faces New Questions After NSA Encryption Revelations
The long-term NSTIC approach is being guided by the National Institute of Standards and Technology. The government affiliation has raised questions about the program's integrity, however. The National Security Agency reportedly pressured NIST into weakening a widely used cryptographic standard so NSA could break into private communications, a revelation that cast NIST as an accomplice to NSA surveillance. And it did nothing to quell criticism that NSTIC might become a big brother national ID card recording a citizen’s every point and click.
Grant, who is the NIST senior executive adviser for ID management, acknowledges he has received more questions about the government’s participation in NSTIC in recent months. But he insists it is a nonissue among the initiative's diverse industry partners.
For starters, the program's private sector-led steering group consists of entities often considered adversaries in the online privacy debate -- AARP, LexisNexis, Microsoft and both the American Civil Liberties Union and NSA. The steering group will soon be spun off into a nonprofit, according to members.
"Despite the concerns and the outrage over some of the other stories coming out, by and large, the folks that we’ve been working with recognize that NSTIC is a strategy," Grant said. "It calls on the private sector to help develop something, and the government actually doesn’t have control here. We’re not building any new system. We’re not trying to set up a central database."
He says the outcome of the project will be the opposite of snooping. "Any time the government’s involved in these things [people] may have concerns, but they are also excited about what we are trying to do, which is partnering with the private sector to ultimately deliver better privacy and security," Grant said.
Wider Acceptance Could Take Years
NIST, Connect.gov, the Federal Cloud Credential Exchange and NSTIC will not store any personal information. The government is not running NSTIC, but rather arranging meetings and small grants for the companies that manage the technology, Grant said.
NSTIC, for example, awarded $2.8 million to credential-creator ID.me. As a result, a retired military member now can register online for a single ID.me login -- and then sign in to any of a number of sites that offer discounts on Uber car rides, free shipping at Overstock.com and other perks.
"That same credential, once the Federal Cloud Credential Exchange goes live, should also be able to be used at the Department of Veterans Affairs to log into the My HealtheVet.gov portal -- and download health information," Grant said.
The steering group is expected to announce additional grants and pilot programs later this week.
ID.me officials say their user-base will reach 2 million people by the end of 2014.
Still, ID.me, PayPal, and other outside logins are not anticipated to be widely accepted for years, because compatibility will require a new regime of security standards, liability policies and business rules.
The actual tools are the least of the holdups.
"There is no shortage of technologies, but if most of the businesses I’m dealing with online aren’t going to actually allow me to use it when I log in, then it’s not really worth anything to me," Grant said.
For example, will Apple and Amazon let users log into their apps with a Google ID?
Some Legal Questions Remain Unresolved
Aside from branding issues, there are legal questions. "What happens if something’s compromised and something’s lost?" Grant said. "Who is actually liable? A lot of things can be addressed through standard contract terms."
He compares the online login system to the traditional payment card system.
"I’ve got two VISA cards in my wallet. One from U.S. Bank. One from Chase," Grant explained. "If I go down to the Starbucks around the corner and buy a cup of coffee, they could care less which card I present, because both of them have the VISA logo on it. And it’s not just a shiny logo. It’s a 'trust mark' that stands for a whole bunch of standards and operating rules behind the scenes that govern everything from how the card is produced in a secure environment, how it's authenticated at the point of sale . . . how many days it will take for Starbucks to get paid by the bank.”
The login system, like the payment system at Target and any other networked system, is bound to be hacked at some point. The unresolved issue for the ID strategy is who becomes responsible for losses.
With payment systems, there are "rules in place that allocate liability between the consumer, the merchant and the issuing bank," Grant said. "We don’t have anything that’s like that for online credentialing" -- yet.