1. What is the role of the Federal Government in developing the Identity Ecosystem?
2. How is the White House involved in NSTIC?
3. Why is private sector participation and leadership critical to successful development of the Identity Ecosystem?
4. What is the overarching goal of the NSTIC pilot projects?
5. What is the NPO’s role in the IDESG?
6. Why now? Why is the National Strategy for Trusted IDs in Cyberspace needed?
Sixty years ago, before the invention of the credit card, people simply accepted the danger inherent in carrying cash with them to make a large payment. Today we accept the dangers of using easy-to-break passwords and providing personal information to dozens of different Web sites as the cost of doing business on the Internet. But we don't have to.
The technologies exist now to make online transactions more secure, private, and more convenient. NSTIC offers a vision of the future where the private sector, civil societies, and the public sector collaborate to create the standards and policies needed for interoperable trusted credentials that would dramatically reduce ID theft and fraud online. In addition, by acting now and creating a more trusted environment for online transactions, we will ensure that the Internet continues to support innovation and the creation of new jobs.
7. Is NSTIC a plan to introduce a national ID card or an internet driver's license? Do I have to get one?
8. Will the government run the Identity Ecosystem?
9. Why should the government be involved at all?
10. How will implementation of NSTIC enhance privacy and support civil liberties?
For example, service providers would be required to collect and share the minimum amount of information necessary for authentication. In the physical world, when people show a driver's license to prove their age, they also reveal all of the other information on the license. In the Identity Ecosystem, your credential could be used to prove you were a minimum age to allow a purchase without revealing your birth date or other information.
In addition, an approach grounded in recognized privacy principles will promote the creation and adoption of privacy-enhancing technologies. Such technologies will inhibit the linkage of credential use information among multiple service providers, thereby preventing those providers from developing a complete picture of an individual's activities online. Equally important, the Identity Ecosystem allows you to continue to use the Internet anonymously, which supports civil liberties like free speech and freedom of association.
11. Where can I get a trusted credential? Is the Identity Ecosystem built yet?
12. Won't having a single password and credential be less secure and private than having many usernames and passwords?
NSTIC does not specify exactly how the technology behind credentials should verify identity; that should be left up to the private sector. However, past experience has shown that "multi-factor authentication" is much more secure than passwords alone. For example, a bank could issue you both a physical device, such as a key fob (something you have), combined with a short PIN number (something you know) to access your accounts. This two-factor method would make it much more difficult for thieves to break into your accounts. Your cell phone could also carry a digital certificate (something you have) that requires a password (something you know).
The key is that you can have multiple trusted identity credentials, and even if you lose the physical device, a cyber criminal still can't assume your identity without your PIN or password. Having even a few PIN numbers or passwords - should you choose to use multiple credentials - would be much more convenient than the dozens of passwords most people are forced to remember now. Also, should a credential be lost, you can more easily notify all necessary parties to secure accounts through the credential provider, rather than having to notify each individually. The ID provider would then discontinue that credential and issue you a new one, helping to minimize the likelihood of unauthorized activity.
No solution, of course, is a magic fix for all possible cybersecurity risks, and NSTIC does not claim to have answers to all threats associated with online transactions. It is, however, a major step forward in making the growing number of online transactions more convenient, more secure and more private.
13. Should I get a credential if I don't use the Internet very much?
14. Who will make sure that companies follow the rules?
15. Will new laws be needed to create the Identity Ecosystem?