NIST seeking to move beyond passwords
By Marjorie Censer,
The National Institute of Standards and Technology is preparing to fund up to $10 million in projects geared at coming up with a better way to manage identities online than the traditional user name and password system.
Companies, universities, nonprofits and state and local government bodies, among others, are being invited to submit applications for a pilot program that will fund potential solutions.
“Study after study shows [that] our reliance on passwords continues to be one of the most commonly used vectors of attack from cyber criminals or fraudsters,” said Jeremy Grant, NIST’s senior executive adviser for identity management.
While there are other technologies used, such as smartcards or tokens that generate passwords, Grant said they typically haven’t caught on.
Proposals may suggest implementing new technology but will likely also have to consider different standards and policies, according to Grant.
“We’re not really hindered today by the lack of technology,” he said. “What we have not really seen [are] ... policies and operating rules that would govern how the technology would be used.”
For instance, if a credential provider wanted to ensure a user could make the credential work at multiple businesses or government bodies, there are no rules that govern how that would work, Grant said.
According to the federal funding opportunity notice released by NIST, the agency is seeking “identity solutions” that improve privacy, are voluntary and interoperable and are cost-effective and easy to use. The idea is to test ideas or frameworks that are not available today.
NIST plans to fund five to eight awards, each of which is expected to range from $1.25 million to $2 million a year for periods as long as two years, according to the notice. Grant said actual proposals and funding could fall outside that range.
NIST is expecting companies and organizations to partner on the pilots.
Applicants will be expected to submit short proposals by March 7. The government will select finalists who will then be asked to submit full proposals, and Grant said NIST plans to select the winners this summer.
Andy Purdy, chief cyber strategist at Falls Church-based Computer Sciences Corp., said NIST’s identity management efforts — of which the pilot program is a part — is one of the key elements of the government’s cybersecurity vision.
He said CSC is taking a role in the effort to improve identity management online and will look at the pilot effort.