The Commerce Department has been handing out grants to fund a way for Americans to use a single password anytime they shop, bank, pay bills or engage in any other online activity that requires logging in and verifying identity.
In effect, President Obama’s administration is trying to bring an end to Americans having different passwords for each online account. Almost $3 million in grants were given out for the project this week through the department’s National Institute of Standards and Technology, as part of its National Strategy for Trusted Identities in Cyberspace project.
“The grants announced will help spur development of new initiatives that aim to protect people and business from online identity theft and fraud,” Commerce Secretary Bruce Andrews said.
There are more than 300,000 cases of identity theft annually, according to the Federal Trade Commission. Home Depot reported Thursday that hackers gained access to 56 million credit and debit cards in a breach of its systems. Last year, 40 million cards were compromised in a breach of Target’s system.
The new initiatives would help create a “federated identity” system in which a single online provider would “vouch” for the user at other websites. The online user would choose the provider that vouched for them.
NIST spokeswoman Jennifer Huergo said the grants would help create a “marketplace of options so that you as a consumer could choose different identity providers that you trust.”
She added that “federated identity” was a technical term that the computer experts coined.
“It sounds like ‘federal’ but it’s not that at all. It’s a term of art, I guess, for authentication. It comes from the IT people,” she said.
Ryan Radia, associate director of technology studies at the free-market think tank Competitive Enterprise Institute, said the project’s stated goal of a more secure Internet was laudable, but still better served by the private sector alone. The odds that any identity system starting out as voluntary eventually becomes mandatory is much greater if the government is involved, he said. He also dismissed NIST’s claim that the technology could not be created without the grants.
“A Visa or Mastercard issued by a community bank in any small town can be used in any country around the world. That wasn’t the result of any government initiative,” Radia said, adding that government involvement might even retard the growth of privacy technology.
The government has given out about $19 million in grants through the NSTIC project since its creation in 2011.
Atlanta-based mobile trade association GSMA won an $822,000 grant to create a system that will be usable on different mobile networks. It is partnering with “America’s four major mobile network operators,” NIST said. Although neither NIST nor GSMA would disclose who the operators are, the four with the most subscribers in the U.S. are T-Mobile, AT&T, Verizon and Sprint, according to Bloomberg.
The $1.2 million grant to Confyrm of San Francisco would be to work on the federated system and find a way to track identity thieves.
MorphoTrust USA’s grant is to demonstrate “how existing state-issued credentials such as driver’s licenses can be extended into the online world to enable new types of online citizen services.” That would include things like applying for federal benefits.
“Since the government has a pretty good idea of who you are, they could be an identity provider,” Huergo said.
While the system would eliminate the need for multiple passwords at different websites — many users employ the same password over and over again, making potential theft easier — it also would create a potential “all your eggs in one basket” scenario. Should the one provider that vouches for a user be breached, most of that person’s information would be at risk.
“That is a concern that has been raised,” Huergo said, but argued that consolidating the information was still a better idea than the current setup. “Right now we have our eggs all over the place … this would give people the opportunity to reduce the number of baskets that contain their private information.”
