More than five-years ago the Better Identity Coalition released a Policy Blueprint outlining five key initiatives that, taken together, if implemented and funded, would solve the majority of America’s challenges in the digital identity space.

Today, as we kick off the Identity, Authentication, and the Road Ahead Policy Forum, I am looking back on progress made and where improvements can still be made with the release of Better Identity at Five Years: An Updated Blueprint for Policymakers. As the new report details, America has made mixed progress on the Blueprint – in some cases embracing the recommendations and in doing so, making noteworthy progress. In other cases, we are stalled – and with it, rudderless in efforts to counter organized criminals and hostile nation-states looking to exploit compromised identities to steal money and data.

Since the 2018 Blueprint was published, however, much has changed: 

  • America lived through a global pandemic that made many in-person transactions impossible for more than a year – and adversaries swept in to exploit the chaos of our shift to all-digital transactions by using compromised digital identities to steal hundreds of billions of dollars from government and the private sector. 
  • We have also seen the rise of new, more sophisticated attacks on identity powered by generative AI that, if unaddressed, threaten to push losses from identity-related cybercrime to new levels and undermine confidence in our increasingly digital economy.
  • Every peer country in the world has either created robust digital identity infrastructure or has launched a national initiative to do so; the U.S. stands alone among its peers in lacking a comprehensive initiative.

This report grades progress on each of the original Blueprint’s five key initiatives – as well as the 19 items that were contained in the “action plan” to support those initiatives. Here is a summary of how well government has done:

The new Blueprint incorporates a revised 21-point action plan for policymakers to improve digital identity in America. Highlights include:

  • Establish a White House led task force charged with bringing Federal, state, and local agencies together to develop a coordinated plan to close the gap between physical and digital credentials in a way that promotes security, privacy, equity, and interoperability. Note that the White House can do this on its own today; if they do not, Congress can direct them to act by passing the Improving Digital Identity Act. 
  • Direct NIST and DHS to jointly accelerate the development of standards and guidance to states to enable them to launch remote identity proofing applications for mDLs and other digital credentials. As part of this, direct both agencies to prioritize digital use cases over in-person use cases in its work on mDLs.
  • Create a new five year, $200 million per year grant program to support states in their migration to being digital identity providers. Dollars would be tied to adherence to forthcoming NIST guidance for Federal, state, and local agencies for creating new identity and attribute validation services and would be used to support the modernization of legacy identity infrastructure to support digital solutions. Ten percent of grant dollars should be used to support “identity inclusion” efforts in states, ensuring that as we advance digital identity efforts, we do not leave behind those who cannot easily get foundational physical IDs today.
  • Open up SSA’s Electronic Consent-Based SSN Verification (eCBSV) system to other use cases and establish more consent-based attribute validation services at other agencies that hold authoritative identity information on Americans, such as the IRS, State Department, and U.S. Postal Service.
  • Create a new NIST publication in the next 12 months detailing which biometric algorithms have been proven through NIST testing to meet a high threshold for both accuracy and equity; direct agencies to use only those algorithms in identity solutions.
  • Within the Federal government, enforce M-22-09, which requires that all agencies use only phishing-resistant authentication in enterprise applications, and that all public-facing applications offer people the choice of using phishing-resistant authentication.
  • CISA should build off its excellent education campaign around MFA to also educate consumers on best practices for remote identity proofing and identity protection and provide support to private sector organizations that help with this education.

It’s time to act. Identity-related breaches will keep getting worse and legacy solutions will continue to fail – a step that will create more barriers to the availability of services online and erode trust in digital commerce.

Now is the time to take a proactive approach and get ahead of the identity conundrum – a step that will position the U.S. to address security challenges and enable the digital economy to thrive.

This revised Blueprint for Policymakers lays out a clear set of initiatives that are both significant in impact and achievable – should government choose to act on them – in the next 2-3 years.

Jeremy Grant

Read Next

Is it Time for Mandatory Multifactor Authentication?

In the wake of the Change Healthcare breach – caused by compromised credentials and no multifactor authentication (MFA) on a remote access server – is it time for government to mandate MFA for critical infrastructure organizations?

Is Phishing-Resistant MFA Table Stakes?

A token with a six-digit code was the ultimate in MFA but with the rise of AI and other sophisticated attacks organizations need to look at phishing-resistant authentication.

Event Recap: 2024 Identity, Authentication, and the Road Ahead Policy Forum

A recap of the "Identity, Authentication, and the Road Ahead” Policy Forum hosted by the Better Identity Coalition, FIDO Alliance, and the Identity Theft Resource Center.