Should the federal government support projects to test a federated, standards-based “Identity Ecosystem” that could save time and money?
That’s the key question being asked, as two pilot projects funded by the National Institute of Standards and Technology get underway this month.
Last year, the Institute awarded $2.4 million to the states of Michigan and Pennsylvania to pilot two approaches that “test new online technologies to improve access to government services and the delivery of federal assistance programs and to reduce fraud.”
The state pilots are in addition to other NIST grants made to private-sector organizations, part of the overall effort to allow “people to choose from an array of private and public credentials to prove they are who they say they are online.”
“It’s easy to tell you this is a terrible idea and it’s the end of the world,” Gartner security analyst Avivah Litan told VentureBeat. “But it’s nice to see someone finally trying to implement this idea” of a set of standards for identity verification.
She noted that the idea of standards-based ID verification “has been around since the ’90s, but the main reason no one’s done it is because no one stepped up to the plate.”
It’s part of an initiative called the National Strategy of Trusted Identities in Cyberspace, which is intended in part to make the delivery of state assistance programs more efficient. Many states employ different identity verification programs for each department.
If it’s going to happen, Litan said, it would need to be the government or the banks — an institution with big enough clout to make it happen.
“We’ve seen this happen successfully in other countries,” she said, such as Spain, India, and Finland.
What about the security or privacy issues?
“You could say the government is not an IT company,” she said, “but they could outsource it” the right way so an ID system launch doesn’t repeat the Healthcare.gov launch fiasco.
And multi-factor systems could be implemented that, for instance, generate unique passwords each time, so there are no passwords to be stolen. “It can also be decentralized by state or department,” she said, with each unit signing onto the same standard and limiting the risks from any single hack.
This could, in essence, be a federated system — appropriate for a country that prides itself on individual states subscribing to a federal system.
Michigan’s $1.3 million will fund a pilot project that validates identity automatically for anyone applying for state benefits. Currently, applicants have to appear in person to validate their identity. Pennsylvania’s $1.4 million will develop a pilot for a token-based infrastructure with a one-time registration that could be used across departments.
NIST has said that the projects should use existing technology instead of inventing new systems and has awarded $300,000 to the Research Triangle Institute International to assess the projects.
“At least let them try,” Litan told us.