The development of authentication technologies that could replace the password is "nearing a tipping point," but there's still several years of work to do, says Jeremy Grant, who oversees the National Strategy for Trusted Identities in Cyberspace, or NSTIC.
"People have been trying for years to replace the password, and there haven't been a lot of solutions that have taken hold in the marketplace," says Grant, a senior executive adviser at the National Institute of Standards and Technology who's the government's point man on NSTIC.
"There may be room for passwords in the future, but everything we're trying to do is to catalyze replacements that are more secure and easier to use," Grant says in an interview with Information Security Media Group. He says he's "optimistic that we're near a tipping point right now with new types of technologies that are emerging."
The forces behind NSTIC never envisioned a silver bullet for authentication, but they believe the private sector will come up with various solutions that will strengthen what they characterize as a "trusted cyber-ecosystem" in which people and businesses can securely transact business without relying on the password - or, at least, minimizing its use.
NIST, which manages NSTIC, has dispersed millions of dollars over the past two years to more than a dozen groups, mostly businesses, to pilot new processes and emerging technologies to find ways to authenticate users without relying on a static password.
The long-term NSTIC mission, as described on its website, is: "Helping individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation."
In the first part of a two-part interview, Grant explains:
- The challenges that inhibit the replacement of the password;
- The privacy issues involved in developing new forms of authentication; and
- The long-term goals of NSTIC.
In part two of the interview, to be posted shortly, Grant will describe the results of some of the NSTIC pilot projects and forecast when emerging authentication technologies might take hold.
Grant began his career as a Senate aide, where he helped draft the legislation that laid the groundwork for the Department of Defense and General Services Administration smart card and PKI efforts. Afterward, he worked at the government services firm Maximus as head of its security and identity management practice and Washington Research Group as an identity and cybersecurity market analyst. Before joining NIST, Grant served as chief development officer for the consultancy ASI Government.