Views on Digital Identity Management Practices, Measurement Science From Michael Garcia, National Institute for Standards and Technology

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

As data breaches and identity thefts become more common, consumers need to adopt stronger digital identity management practices.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to Acting Director of National Strategy for Trusted Identities in Cyberspace at the National Institute for Standards and Technology Michael Garcia on identity management practices and the takeaways from a recent workshop at NIST on “Applying Measurement Science in the Identity Ecosystem.”

Bloomberg BNA:

Part of President Barack Obama’s Cybersecurity National Action Plan involves a campaign to urge people to move beyond just passwords and add an extra layer of security on their online accounts. What is the role of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in this campaign?

Michael Garcia:

Technology changes very quickly. When we opened the NSTIC National Program Office five years ago, multi-factor authentication (MFA) had very low adoption in both enterprise and with individuals. More importantly, there simply wasn’t a sufficient array of choices in the market for individuals to protect themselves. We sought to change the supply side of the chicken and egg problem.

Since launching in 2012, NIST has funded 18 pilot programs—which have impacted over 3.8 million individuals and resulted in the development of 10 MFA solutions. We’ve seen a real increase in choices for individuals to protect themselves from fingerprint readers to facial recognition to one-time Short Message Service (SMS) messages and everything in between. Most are free or low-cost, and they are increasingly included in other products consumers want, such as smartphones.

We believe we’re at the point where consumers have true choices and it’s fair to start asking them to use them; we have a sufficient supply to start driving demand. As part of the CNAP, we’re looking to take the next step up the adoption curve by creating additional consumer awareness and educating individuals not only on the problems of the Internet, but on how to make it work better for them. In scaling up our ongoing collaboration with the National Cyber Security Alliance (NCSA) and Department of Homeland Security for the Stop. Think. Connect. campaign, we hope to build adoption for the use of more secure, privacy-enhancing technologies that are easy to use.

Bloomberg BNA:

Would you explain the three disciplines of digital identity management—strength of identity proofing; strength of authentication; and attribute metadata and confidence scoring?

Garcia:

These are the three topics we covered in our recent workshop on advancing measurement science in digital identity. They certainly aren’t the only disciplines in identity management, but we feel all are ripe for progress. Identity proofing is knowing who an individual really is, authentication is knowing that the same person is conducting the transaction every time, and attribute metadata is information that rides along with a transaction that can help providers who make decisions and treat those data properly.

We think of identity proofing and authentication separately for a couple reasons. First, identity proofing—if done well—tends to be expensive relative to most other parts of an online interaction. And doing a good job of it tends to be more burdensome on the user. So you only want to do it if it’s really necessary.

The second reason involves lowering the risk of identity theft and other privacy concerns. A digital newspaper might need to know I’m the same entity coming back so it can save my preferences and favorite articles, but, in general, it has no need to know the actual carbon life form on the other end of the digital connection. If I’m working with my doctor or bank, on the other hand, I would want strong identity proofing behind it so no one else can access my health record or my finances.

With many types of online transactions having many types of risks, it’s important to have a range of solutions for both authentication and identity proofing.

Identity proofing is knowing who an individual really is, authentication is knowing that the same person is conducting the transaction every time, and attribute metadata is information that rides along with a transaction that can help providers who make decisions and treat those data properly.

The attribute metadata concept is a little less intuitive than the others. Metadata gives additional information about a piece of information. As an example, think of your data of birth being sent as an attribute in a transaction. The metadata sent along with it could be a policy condition that restricts re-sharing this info with any third party. Metadata could exist for anything, so the focus is to create a standard set of the most common metadata so that all parties to a transaction have a common understanding of what metadata might mean. This could be as simple as knowing that a setting of “No” to restrict sharing means “No Sharing” rather than “No Restriction” to something very complex such as whether the way an attribute was collected meets industry-specific rules or quality standards.

Bloomberg BNA:

In non-technical terms, what is involved in “the application of metrics and measurement science to identity management practices” that is cited as a methodology in the summary of the January 2016 workshop at NIST?

Garcia:

When we talk about measurement science in digital identity management, we ultimately mean helping individuals and organizations understand how the solutions they might use online actually perform. There are many ways to conduct authentication and to identity proof. But in many cases, we don’t have good ways to compare one approach to another. At its heart, we’re trying to enable a better ability to know whether a particular solution sufficiently mitigates risk to be used in a particular transaction.

When it’s difficult to assess the quality of a product, organizations have less incentive to compete on quality and instead compete on price. Even when there are really good products available, there’s so much pressure to offer lower prices that we sometimes end up with a race to the bottom.

We’ve seen this in other markets over time, and typically the best way to out of this problem is to make it easier to communicate information about the quality of a product. We see a number of promising products out in the space, and we’re ultimately trying to foster a healthy, sustained market for digital identity solutions. So we’re working with other agencies and industry to make it easier to communicate how well a product does its job—such as how well a particular identity proofing approach performs with a particular population—so others can make better choices about the products they have protecting their digital resources.

Bloomberg BNA:

What are some examples of “undue burden,” as described by some of the participants at the workshop, that mandatory metrics and measurements can place on vendors?

Garcia:

A framework is only valuable if it’s adopted, and it will only be adopted if it’s both useful and usable. In our efforts with industry we’re staying mindful of the balance between a good framework and the cost of aligning with that framework. An overly-slow and expensive approach risks stifling innovation, while an oversimplified approach won’t provide sufficient value to the marketplace.

We aren’t a regulatory agency and we won’t be mandating anything for industry, but we hope that any frameworks we create will be widely adopted. NIST needs continual feedback from all stakeholders to achieve that balance and make sure whatever work we do benefits the market.

Bloomberg BNA:

Some of the participants at the workshop called for standardization across identity practices while others called for flexibility to support the needs of different sectors. Are these goals simultaneously attainable?

Garcia:

Yes, we can serve both the whole ecosystem and its smaller communities. We see this dichotomy across different markets and with many technologies. There needs to be a balance where vendors can innovate and drive the market forward while retaining a common enough base to support interoperability in the broader ecosystem.

If you look generally at identity practices across industries, there is a lot of overlap in approach, but the same sentiments or requirements are often articulated differently across communities. Part of the challenge is to find those commonalities and express them in similar language, while maintaining enough flexibility for communities to focus on what makes them truly unique.