The Standard(s) Challenge with Digital Identity

In late January 2022 NIST published the latest iteration of the Federal Information Processing Standards (FIPS) 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors. It served as a reminder of the core value that standards play in the evolution of technology and industry. This document, along with a number of accompanying special publications and technical standards, paved the way for innovation not only in the federal government but also in how technology was adopted in the private sector.

The success of FIPS 201

The early days of FIPS 201 standards development was hectic, yet inspiring. I remember attending the Inter-Agency Advisory Board (IAB) meetings in 2005 where individuals from the federal government and industry sat together to hash out the details of the specification. Federal working groups and industry organizations toiled in back rooms across Washington, D.C. as the standard was brought to life. Then, one after another, implementations went live in production and PIV cards hit the street. During that time I was serving as the lead solutions architect on the GSA USAccess program where we were issuing PIV cards across 70 different agencies. There’s no doubt this would’ve been incredibly difficult, if not impossible, without the foundation of the FIPS 201 standards suite. The enduring success of FIPS 201 is a direct result of a concerted effort between government and industry–agreeing to a common set of standards that guide interoperable delivery–with the government playing a lead role. 

The success of biometrics standards

Around the same time the biometrics industry was undertaking a similar standardization effort. After September 11, 2001 there was increased interest in using biometrics for national security purposes. As a result, standards efforts that had largely been focused on forensics and law enforcement evolved to expanded use cases and alternative modalities. There was a heightened interest in publishing standards for interoperability, testing, data formats, and other technical domains at the national and international level. Like FIPS 201, the process was grueling yet uplifting. As a member of the ANSI INCITS Technical Committee M1, Biometrics from 2005-2009 I was able to witness the hard work that individuals put forth to formulate biometric standards that would ultimately underpin FIPS 201 and enable an industry for long promised growth.  

The struggle of standardizing digital identity

Hovering over this history, and continuing as the proverbial elephant in the room, is digital identity. Since the early days of public use of the Internet, your digital identity has been in many ways central to your experience. Unlike the standards efforts for FIPS 201 and biometrics, defining and standardizing digital identity continues to prove difficult. 

Both FIPS 201 and the biometrics efforts benefited from their relatively narrow focus and targeted problem domains. FIPS 201 focused on what it took to prove an identity and issue a smart card. The biometrics industry focused on what it took to create and implement niche hardware and software products for proving who you are to gain access to resources. While these are grossly oversimplified definitions of each, digital identity remains a much wider and comprehensive problem set. 

After the successful implementation and issuance of PIV cards, it was a natural transition for industry to turn its focus toward the use of the cards, and in a larger sense the secure use of your digital identity. There was a groundswell of support for standardization and initiatives such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) brought government and industry together to once again bring order to the chaos. Unfortunately, given the complexity of the problem, the sheer number of companies in this space, competing priorities, and the natural evolution of technology we continue to fight for normalization today.

There have been roughly 4 stages of digital identity over time. The first stage was centralized, lacked scalability, and was not overly secure. The next stage included federation and the ability to use SAML, SSO, and other technologies to have one identity for multiple systems. We then moved into roughly where we are today with user-centric identity and the ability for users to exert more control over the sharing of their identity information. This includes using large scale identity providers across multiple systems (e.g., login with Google), OAuth, and OIDC. This still relies on centralized concepts and identity gatekeepers and leads us toward the fourth stage which is self-sovereign and decentralized identity. Here users are allowed to directly control their identity information. Technical constructs such as Decentralized Identifiers (DIDs), Verifiable Credentials (VCs), and digital wallets become central components of these identity systems.   

Over the course of these stages of identity, numerous groups and initiatives have formed or evolved to lend their support, including NIST, W3C, ICAO, ISO, AAMVA, IETF, OpenID Foundation, OASIS, Sovrin Foundation, FIDO Alliance, Trust Over IP Foundation, and the Kantara Initiative just to name a few. Within each you have multiple working groups, protocols, standards, policies, strategies, artifacts, and a never ending array of acronyms. All of this to say that while the identity ecosystem is exceedingly active, it is also quite fragmented and makes consistent and interoperable solution delivery difficult to achieve.  

Where do we go from here

The good news is that there remains a collective commitment to enable the agreed upon benefits of digital identity. This is evident in the fact that the recent FIPS 201-3 specification moves beyond the physical smart card credential and increases the number of acceptable types of credentials that agencies can permit as digital identity. 

Many factors are at play in today’s market and are coalescing toward a more refined capability definition of digital identity and what’s needed for wider acceptance. Technology continues to evolve, barriers to entry remain low, and the pandemic has shifted our collective agreement on the value of remote work and digital interaction. 

Like FIPS 201 and the biometrics industry before, publication and acceptance of standards will certainly play a critical role along the way. Over time, government and industry will shift and rally around these specifications and new opportunities and solutions will take root. Similar to how Apple helped enable widespread adoption of biometrics after the introduction of Touch ID in 2013, publication of standards such as the recent ISO 18013-5 for mobile driver’s licenses will surely do the same for digital identity. 

If we are ever to get to the point of solving, or at least adequately addressing, some of the challenges of digital identity, then standards will be the foundation for the reason why. And not just one standard but rather a healthy and vibrant ecosystem of complementary and interoperable standards that were forged between governments, industry, and individuals. Standards which enable and encourage a flexible, secure, and privacy-preserving user experience.