Pilot Projects Aim to Replace Passwords

Feds Ante Up $7 Million in New Round of NSTIC Funding
Pilot Projects Aim to Replace Passwords
Jeremy Grant

The federal government sees big potential in ID.me, an online service that helps merchants securely identify members of the armed forces to offer them discounts. That's why it has awarded the company a $1.2 million grant for a pilot program to evolve its service into a trusted identity solution to let military families securely access sensitive information online from government agencies, financial institutions and healthcare.

See Also: Mitigate Risks and Protect Your Users from Cyberattacks, Avoid the Yahoo Data Breach

ID.me is one of five groups receiving a total of more than $7 million in taxpayer money in a second round of grants under a program designed to bolster development of reliable, easy-to-use online credentials that the government hopes will help build trust in online commerce and boost the economy.

Creating an "identity ecosystem" will fuel the next generation of online businesses, says Jeremy Grant, senior executive adviser for identity management at the National Institute of Standards and Technology, which oversees the National Strategy for Trusted Identities in Cyberspace program, known as NSTIC (pronounced n-stick).

NSTIC is a collaborative effort among business, not-for-profits and the government to create secure and interoperable identity credentials to access online services. NIST last year awarded $9 million to five other pilot programs, and it expects in the coming days to announce two more pilots aimed at state governments.

ID.me, founded as Troop ID by former Army Rangers who served in Iraq, will use its grant to expand its identity solution by incorporating multifactor authentication to access sensitive information online. The company's key partners include federal government agencies and a leading financial institution serving the nation's military community and its families.

"This is a company that already made tremendous strides just by doing a low-level credential as a startup," Grant says. "Now, they're looking to take a grant and really build a solution that's NSTIC aligned that would offer a lot more value to them. There are a lot of service providers online who will, if the pilot goes well, trust those credentials and get people to login to their sites."

Other Grant Recipients

NIST also awarded grants to four other groups.

Exponent received $1.6 million to issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a healthcare organization and the Defense Department.

Exponent and partners Gemalto and HID Global will deploy two types of identity verification: mobile devices that leverage so-called derived credentials stored in the device's SIM card and secure wearable devices, such as rings and bracelets. Solutions will be built upon standards, ensuring an interoperable system that can be easily adopted by a wide variety of organizations and companies.

Georgia Tech Research Corp. will use its $1.7 million grant to develop and demonstrate a "trustmark framework" that seeks to improve trust, interoperability and privacy. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization.

Defining trustmarks for specific sets of policies would enable website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact.

NIST says supporting consistent, machine-readable ways to express policy can enhance and simplify the user experience, raise the level of trust in online transactions and improve interoperability between service providers and trust frameworks.

Privacy Vaults Online will apply its $1.6 million grant to the development of a solution that provides families with Children's Online Privacy Protection Act-compliant credentials that would let parents authorize their children to interact with online services in a privacy-enhancing way.

NIST says parents need better tools to ensure their children safely use of the Internet; online service providers need to comply with the requirements of the COPPA when they deal with minors under the age of 13.

Transglobal Secure Collaboration Participation, also known as TSCP, will use its $1.3 million grant to deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. Employees of participating businesses will be able to use their existing credentials during the pilot to securely log in to retirement accounts at brokerages, rather than having to obtain a new credential.

NIST says the key to enabling these cross-sector transactions will be TSCP's development of an open source, technology-neutral trust framework development guidance document that can provide a foundation for cross-sector interoperability of online credentials.

Becoming a 'Shining Star'

Grant says last year's five pilot projects are progressing satisfactorily. "A pilot could have troubles one month and the next month find a way to overcome them and become a shining star," he says (see Creating Trust: The $9 Million Pilots).

The 2012 pilot projects will report to NSTIC next month on their progress and will continue for another year. "We're learning a lot on where things are working out as well as to where they're running into challenges," he says.

One common theme culled from the pilots is the importance of the Identity Ecosystem Steering Group to the NSTIC initiative, Grant says. The steering group is a mostly private-sector led organization, chaired by Bob Blakely, Citigroup director of security innovation, that will facilitate trusted identities once the government withdraws from the NSTIC initiative in about three years.

The steering group is creating a legal and policy framework to enable identity providers to set up contracts and conduct transactions. "Every one of the pilots [from 2012] have found that they spent more time than anticipated working on how to get these agreements signed," Grant says.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network