1.2 billion. It’s a number that inspires people to conjure up their best Dr. Evil impression, although it’s no laughing matter. 1.2 billion compromised passwords is a remarkably stunning and shocking number. It’s also one that has inspired a wave of articles asking “what can we do about this?” Telling people to reset all their passwords isn’t a real answer – we just got through telling them to do the same thing in April after the Heartbleed bug was discovered, and most Americans don’t have the stomach or the time to keep doing this every few months. In the short term, there aren’t any silver bullets: nobody likes the security or usability of passwords, but we’ve had them for a long time because the market has struggled to develop compelling alternatives. These struggles were a major driver behind the issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC). Some good technologies exist, but higher costs and burdens associated with these technologies mean they are not feasible unless we can use them across multiple sites. As identity virtuoso Tim Bray noted in an article in Time this past week: “The problem, and it’s a big one, is that you can’t really carry a different doohickey around for each of your passwords. The solution to that is obvious: just have one that works for lots of different apps. That will require some cooperation and infrastructure. There are smart people working on this idea, but we’re not there yet.” A great thing about my job at NIST is: I get to lead a team of some of the smart people working on this. An even better thing about the job: we’ve been joined by more than 200 companies and organizations in the Identity Ecosystem Steering Group (IDESG) – a private organization established to help support the implementation of NSTIC by tackling the creation of an Identity Ecosystem Framework – essentially the “cooperation and infrastructure” that Bray talks about. IDESG has done awesome work over these last two years, and is making progress each week on version 1.0 of this Identity Ecosystem Framework, with a release target set for early next year. The Framework will provide a set of standards and operating rules that organizations can use to reduce their vulnerability to hackers – enabling their customers to use a set of more secure, privacy-enhancing, easy-to-use, interoperable solutions in lieu of passwords. While we need more work done in the IDESG, we also need more of you. Many hands make light work and many minds make great work. The more participants we can attract to the effort, the faster we can make progress. IDESG is set to meet later next month in Tampa, September 17-19, alongside the Global Identity Summit. Registration is free. We look forward to you joining us there. While face-to-face working sessions are more productive, if you simply can’t get to Tampa that week, we always offer options for online participation. Check out www.idecosystem.org for more info.
