The Green Sheet Online Edition
November 24, 2014 • Issue 14:11:02
Addressing the digital identity crisis
One of the greatest challenges in today's electronically driven world is how to simplify digital identification. Whether they are buying products online, applying for health insurance, paying bridge tolls or traveling across country borders; it is usually necessary for the people carrying out these transactions to authenticate themselves.
The problem is that each type of transaction uses distinct identification requirements. People now typically access multiple digitally managed services daily, and they are thus responsible for handling various personal passwords, ID cards, tickets, key fobs, etc., each of which is vulnerable to fraud, cyber-attack and loss. And theft of this type of sensitive data is outpacing release of improved authentication solutions.
A global issue
This ID fragmentation is gaining attention from governments across the globe, many of which are taking a closer look at what can be done to create a more unified solution. Regulations have begun to emerge, with Europe leading the charge when it adopted the Electronic Identification and Trust Services (eIDAS) regulation in June 2012. After various amendments by the European Parliament, the final version of this regulation was set to commence in February 2014.
Countries such as Portugal and Cape Verde were early adopters, both launching versions of chip-enhanced citizen identity cards that store cardholder information such as digital certificates and signatures, fingerprints and other biometric data, and medical records. The cards are designed to combine multiple ID sources, and they use dual authentication.
The NSTIC mission
The United States responded to the need for centralized digital identification through a White House initiative known as the National Strategy for Trusted Identities in Cyberspace (NSTIC). An Identity Ecosystem Steering Group was enacted to "work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of online transactions."
The NSTIC website states, "Cyber crime is growing and has become more organized and sophisticated. As we increasingly perform high-value transactions online such as mortgage applications, buying stocks, or reviewing health care information, our vulnerability to theft, fraud, and privacy violations increases proportionately."
The goal is to develop a user-centric "identity ecosystem" or an online environment where individuals and organizations are able to trust each other through agreed upon standards for obtaining and authenticating digital identities, as well as the digital identities of devices. It is expected this system will be built around a set of collaborative private partnerships, which, among other things, will ensure that no one provider is in control of the entire system and cardholders can choose providers they prefer. It is believed this will increase security and reduce the risk of system-wide threats.
An identity ecosystem
How will it work? Just like a bank card and PIN, a password and a credential in physical form (such as a cell phone, token or smart card) is considered a more secure way of doing business than using passwords alone. An identity ecosystem "credential" can send different types of information to different service providers, thereby reducing the number of passwords and PINs needed. For example, you could log in as "John321" to an online subscription without your actual name, but you could also access medical records using the same credential, which can also prove you're really "John C. Doe."
It will also use a multifactor authentication system, which has been proven to be more secure than using passwords alone. One such method could be a digital certificate on a cell phone (something we have) which requires a password (something we know). Users who elect to use multiple certification methods will still have a short list of passwords or PINs to remember, but the list will be significantly smaller than today's. If a credential is lost, it will also be easier, quicker and more secure to notify one credential provider.
As far as progress, the NSTIC stated it will likely be "some years before the full promise of the Identity Ecosystem is in place," but it also noted that some providers are already launching products.
Meanwhile, Europe continues to move ahead in earnest. The sixth edition of the eID Conference was held in October 2014 in Budapest, Hungary, drawing participants from over 40 countries and featuring 200 electronic identity experts in workshops.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.