NIH's ID system could be start of single sign on for government services

Researchers and other visitors to Web sites operated by the National Institutes of Health now can speed through the once arduous process of accessing privacy-protected pages on multiple sites by entering a single password one time.

NIH is one of the first federal agencies to take advantage of the OpenID service that providers unveiled on Wednesday. OpenID enables users registered with a participating provider to switch between secure federal sites without having to log in repeatedly. Equifax, Google and PayPal are members of the new coalition of providers, called the Open Identity Exchange, that has developed a framework for securely sharing user credentials among federal and commercial Web sites.

"It's a real advantage for the user, who doesn't have to get another password and try to remember it," said Peter Alterman, senior adviser to the NIH chief information officer for strategic initiatives. The National Library of Medicine this week began offering a front door, a single sign-on page called the NIH Federated Identity Service. Visitors can use the service to access about 10 applications, including the NIH library and for training winners of grants covering allergy and infectious diseases research. The service eventually could provision credentials for up to 450 NIH applications.

The General Services Administration has approved Open Identity Exchange technology and its policies. Equifax, Google and PayPal are the first identity management companies certified by the exchange to launch their technology on federal sites. The long-term goal is for citizens to be able to log on to one of the providers to complete a variety of transactions such as applying for a government job, changing an address and checking the status of a tax refund -- all during the same online session.

For the federal government, the benefits are equal, if not greater. "The less personal information that we have to keep, the safer things are," Alterman said. Also, "We don't have to maintain a directory or a list of IDs and passwords." Help desks that support credentialing and reset passwords all cost money, he added.

The exchange is a public-private partnership that represents trust between the government and industry, which built the framework, and between the government and citizens, who will obtain more services online if they know they can do so easily and securely, said Ron Carpinella, a vice president at Equifax Identity Management. "This is a first step to go forward and move toward those goals," he said.

Equifax, known mostly for its credit report business, manages files on more than 250 million people, which is most of the adult U.S. population. Its database provides NIH and other agencies a potentially huge user base, Carpinella noted. "This is just scratching the surface of where it can go," he said.

Eric Sachs, senior product manager at Google, said in a statement, "We've already seen encouraging implementations of identity technologies in the industry, and our hope is that the work of the [exchange] will expand on this progress to help facilitate more open government participation, as well as improve security on the Internet by reducing password use across Web sites."

PayPal officials said the GSA-approved framework was critical to the success of digital identity. "Trusted identities and consumer control of personal information are essential to the effectiveness of transactions on the Internet," Andrew Nash, senior director of identity services for the company, said in a statement.