The National Institute of Standards and Technology (NIST) is seeking public comments on a new project that aims to protect privacy and security when reusing credentials at multiple internet service providers, the agency said Thursday.
The project will examine how commercially available privacy-enhancing technologies can be integrated into identity broker solutions, NIST said in a statement.
The context of reusing credentials is that an increasing number of organizations allow online customers to use third-party credentials to create and manage accounts and services. One example is using a social media account to access one’s fitness tracker account–the social media company is essentially “vouching” for the user of the fitness tracker company.
“Allowing third-party credentials saves businesses time and resources in managing identities. For users, the benefit comes from not having yet another username and password to manage and remember,” NIST said.
As third-party credential use becomes more common, more organizations are trying to manage and integrate each third-party relationship. A new service, brokered identity management, is now emerging for use in this system, the agency said.
Organizations can engage with identity brokers to manage multiple third-party credentialing options on their behalf. The benefits are significant but these connections can also create opportunities for increased tracking of users, NIST said.
The NIST project, a partnership between the national Cybersecurity Center of Excellence (NCCoE) and the National Strategy for Trusted Identities in Cyberspace National Program Office, is set to examine how commercially available privacy-enhancing technologies can be integrated into these identity broker systems.
“The NCCoE is seeking comments on a draft document that describes a potential “building block”—one of a series of solutions that address cybersecurity concerns for multiple industry sectors,” the statement said.
The document is Privacy-Enhanced Identity Brokers and describes the technical challenges of adding privacy-enhancing technology to existing services.
NIST highlighted that feedback from businesses and the public will inform the project and development of the eventual solution. The final product is expected to be an 1800-series NIST Cybersecurity Practice Guide that would demonstrate the example solution and provide all necessary information to replicate the reference design.
Comments can be submitted via a web form or to [email protected] by Dec. 18, NIST said.