For those of us with bad memories, the inconvenience of coming up with a new identity and password for sites we frequently visit has since the dawn of the Internet been a true pain. We put up with it in part because we have to do so, and in part out of fear that our identities and the accounts they let us access will be compromised. Good news! Help may be on the way.
A team of leading online-identity and technology providers, led by Criterion Systems and Verizon, has been awarded a federal grant to develop a pilot program to test new solutions that will create a seamless, more secure online identity system.
The National Strategy for Trusted Identities in Cyberspace (part of the U.S. Commerce Department's National Institute of Standards and Technology) is a public- and private-sector initiative launched by the White House in 2011 and is providing the funds. Verizon has revealed that it is one of two providers of high-assurance identity credentials on the pilot program team. It will use its Universal Identity Services platform in the program.
The program is designed to determine the feasibility of providing cost-effective and easy-to-use "trust elevation," or validation efforts, for online credentials. With trust elevation, individuals will be able to use one set of credentials to access any website, including those with sensitive data such as online banking and medical records.
What’s different that is being tested?
Trust elevation uses a username and password in combination with additional information to electronically validate the user's online identity. Here is how validation would work: To obtain initial access to a website, a user would be asked to provide a username and password. Then, depending on the type of online transaction involved, a series of automatic validation steps would occur. This could include such things as the user's fingerprint, recent financial transaction or mobile phone information, or be asked to answer a question that an online merchant can verify. Obviously, if the correct information is provided, the online transaction would proceed; if not, the online merchant would either cancel the order or contact the purchaser to confirm his identity.
"It is clear that the traditional method of using non-validated usernames and passwords for secure online access is no match for determined cybercriminals," said Peter Tippett, vice president of Verizon Enterprise Solutions' innovation incubator.
"Through close collaboration with Criterion Systems, our objective is to transform how usernames and passwords are used and online identities are validated to provide a safer, more trustworthy Internet. Providing one set of credentials to log on to any website and conduct any type of online transaction will be a game-changer for Internet users."
The announcement of the grant stated that the Criterion Systems-led team will work with leading enterprises in the retail, financial services and healthcare sectors, as well as government agencies, to test the program. Technical preparations for a total of eight pilot projects are currently under way, with the initial ones expected to launch in the first quarter of 2013. The pilots will last for two years.
"The objective of the Criterion Systems pilot is to prove that trust elevation of lower-level assurance credentials is not only possible but achievable on a large scale," said David Coxe, co-founder of Criterion Systems and chief executive officer of ID Dataweb. "With Verizon and our other team members, we have assembled a group of leading companies that have the technology and experience to tackle this critical issue."
Verizon, to say the least, is excited by the user of its service. Delivered via the cloud, Verizon Universal Identity Services is aimed at helping control the costs and reduce the complexity associated with traditional identity authentication. The multi-factored credentials are designed to meet Level 3 authentication requirements created by the National Institute of Standards and Technology, and it should also be noted that Verizon has earned Identity, Credential and Access Management certification.
The only disappointing aspect of this program is that it is going to be piloted for two years. While this may be a case of “good things come to he/she who waits,” too bad they can’t (pardon the expression) validate this sooner. This may not be a capability that service providers will be able to charge for independently as a value-added offering, but I for one in consideration of my vendors of choice would certainly make this a key part of my consideration and purchasing decisions. If nothing else, it is nice to know that along with security, the government as part of its cyber threat activities is also looking at ease-of-use.
In the meantime, it really is best practices to constantly change passwords if nothing else and I feel your pain. Having had my Twitter and LinkedIn accounts compromised to the point where I needed to change passwords recently, and then forgetting where I put them so I could access my accounts from all of my devices, this effort cannot get to market soon enough.
Edited by Brooke Neuman