Virtually everyone’s been stuck one time or another trying to remember a online password and thought, “There has to be a better way.” A recent article in our newsletter talks about the problem and suggests tricks to make it a little easier to deal with. But although a lot of smart people have tried to figure out a safe, reliable, and more convenient system, nobody’s come up with one yet.
Now, however, the US Government has decided to gently encourage efforts. In the spring of last year, the Obama Administration announced the National Strategy for Trusted Identities in Cyberspace, NSTIC. Like the National Broadband Plan, it’s not legislation or even regulation. Instead, NSTIC is a hopeful collection of idealistic principles and goals to promote development rather than a concrete plan with real funding and hard, measurable results. Nevertheless, many agencies and corporations are very interested.
It’s easy to see why. Identity theft has become a major problem, costing millions each year, and passwords remain the weakest link in cybersecurity. Commerce might also be helped if you could buy books on Amazon with your Google account or download tax forms from iTunes. And public safety would benefit if your child could be automatically denied entrance to adult websites, or doctors could check in online to help provide medical services after a disaster.
The dream is to build a safe method of sharing relevant sensitive information about users with online entities while preserving and limiting the access to what they don’t need. One system that works equally well for medical records, banking, commerce, and email. Since it would also have to be flexible enough to allow complete verification of identity and total anonymity as well, the problem is anything but trivial.
The Web is slowly coming together on its own to allow logins to the same service from various portals. But so far it has largely been by small applications piggybacking on larger websites. The major powers on the Web, like Facebook, Google, Amazon, Apple and so forth, however, have shown that they little interested in playing nicely together.
Instead, the companies seek anything that gives them a competitive advantage over the others. In their ambition to build vast cyberspace emporiums to provide everything their customers may desire, they boast of how many users set up profiles with them. It’s still very much a numbers game and diversification is the rule. And so Amazon hopes that every new sign-up takes a customer away from a competitor. Why should they do anything to make it easier for a user to buy products elsewhere?
Since the big players’ inclination is to build walls rather than avenues, they are not eager to sign onto standards that make it easier for everybody to use other sites, even if it hurts them in the long run, too. It’s an old problem. However, the Administration’s hope is to encourage them to work together rather than to enforce solutions – since apparently, they have none yet.
There already is an organization working on towards a universal login system called the OpenID Foundation. Already being used by Google, Yahoo, Facebook, WordPress, and other big players like PayPal, it requires users to sign up for a portable, unified identity. They can then use a single account to sign onto thousands of websites. But even though a user can have multiple identities, the fundamental problem still applies. OpenID is basically no more secure than the system being used today, just more convenient.
While the Commerce Department is in charge of the new initiative, the government insists they are not intending to create an “online driver’s license.” The system will not be run by a monolithic government-controlled database, but scattered among private companies. The hope is that by distributing the data, the prospect of misuse by authorities or hacking would be lessened.
Users would choose one company to handle their identity verification credentials – perhaps even Internet providers like SWCP. The system is intended only to gather and give out as little information as necessary. It would not be necessary for general Web-surfing, but only for those activities that require ID verification, like purchasing products online.
NSTIC would create and authorize the “Identity Ecosystem” a “user-centric online environment… that securely supports transactions ranging from anonymous to fully authenticated and from low to high value.” But beyond high-sounding principles such as data minimization, process transparency, individual participation involvement, security, and accountability, it gets vague fast.
Though the proposal glowingly speaks of eliminating passwords, it seems that at least one password and a test question, or perhaps even a physical credential like a plug-in dongle or flash-drive would be required. The site is quite enthusiastic about benefits, but very vague about how security along with anonymity can both be maintained.
This month bidding begins on NSTIC pilot programs to start testing the technology this summer. But there’s still no consensus on how this would actually work. And once a system is designed and is tested that functions safely, securely, and easily, then somehow all websites and users will have to be persuaded to sign up. That could take a while.
Since the first working websites offering NSTIC logins are optimistically thought to be at least two years away, our advice is: don’t forget all those passwords yet.