News

U.S. Offers $10M for 'Trusted Identities' R&D

• By William Jackson
• 02/03/2012

A U.S. program that aims to assure greater identity trust in online transactions has received some research and development funding.

The funding, up to $10 million, will be offered through the National Institute of Standards and Technology (NIST), with grant awards expected in September. The NIST will fund research projects addressing the challenges of implementing a trusted online identity ecosystem.

he Obama administration released its National Strategy for Trusted Identities in Cyberspace last year, a conceptual framework for a system of voluntary, interoperable credentials that could be widely accepted for online transactions. The goals of this identity ecosystem are to enable more economic activity on the Internet while ensuring consumer privacy and security.

Although technology and techniques exist for verifying identify online, challenges of scalability, ease of use and reliability hinder the widespread adoption of any but the simplest and least secure solutions, such as the commonly used user name and password. This has resulted in a lack of confidence in online transactions, the need for individuals to maintain multiple sets of login credentials, and growing threats to privacy through data breaches as well as leaking and reuse of data.

NSTIC describes an environment with multiple commercial solutions that will be privacy-enhancing and voluntary, secure and resilient, interoperable, cost-effective and easy to use.

"The strategy will only be a success – and the ideal of the Identity Ecosystem will only be achieved – if identity solutions fulfill all of these guiding principles," the notice of funding says. "Achieving them separately will not only lead to an inadequate solution but could serve as a hindrance to the broader evolution of cyberspace."

NIST expects to fund five to eight projects for up to two years at $1.25 million to $2 million each for the first year. Preliminary abbreviated proposals are due by March 7, and finalists will be selected by March 22. Full proposals from finalists are due by April 23, and winners are expected to be selected in July. The earliest start date for awards is expected to be Sept. 1.

A proposers' conference will be held Feb. 15 at the Commerce Department in Washington and pre-registration is required. The conference also will be available in webcast format. Web participants may live tweet using #NSTIC as the event hashtag to ask questions during the event.

NIST has established a National Program Office to lead the implementation of NSTIC, but it is the private sector that will be responsible for developing and fielding the technologies for the ID ecosystem, with the government playing only a supporting role.

NSTIC's roots go back to the president's Cyberspace Policy Review, which recommended the creation of an identity ecosystem that would allow the use of strong, interoperable credentials. The resulting strategy does not envision a single credential or technology, but rather a selection of consensus standards for ID management and authentication with companies developing competing products. The products could incorporate a variety of formats, from software and digital certificates for PCs or handheld devices, to smart cards and tokens. These could be used for transactions requiring a variety of assurance levels, from anonymity to strong assurance of identity.

Ideally, a single form of ID credential would be accepted by multiple organizations, and each organization could accept a range of credentials. Consumers would be free to use the credentials or not, and to mix and match them as needed.

But, "the identity solutions marketplace has struggled, in part, due to a number of barriers that market forces alone have been unable to overcome," the notice of funding says. The barriers include:

• A lack of commonly accepted technical standards to ensure interoperability among different authentication solutions.
• A lack of clarity on liability and other complex economic issues, such as who is liable if something goes wrong and what the cost structure would be for services and products.
• A lack of standards for privacy protections and re-use of data.
• Strong authentication technologies that are not user-friendly.

The pilot grant program envisions funding projects that demonstrate the use of technologies and products across multiple user groups in both the public and private sectors, while being easy for consumers to use and for businesses to support.