Neal O’Farrell joins the discussion today on the Daily Shield. Todays topic: the notion of a single, universal identity and login that could be used by users to move around and to shop on the Internet. Is this a good idea? Read Neal’s post!
Seems like the notion of a universal identity is now even closer than ever. A recent article in Business Week highlighted the rapid advances being made in what the White House has called an Identity Ecosystem – an easier, more streamlined way for surfers and shoppers to move around the Internet using a single sign-on instead of multiple identities or logins.
The logic behind the National Strategy for Trusted Identities in Cyberspace (NSTIC) is laudable, but not new. Bill Gates spoke about the idea of a “trust ecosystem” at the 2006 RSA Security Conference, and it might be argued that PKI (Public Key Infrastructure) would have been an ideal solution if it hadn’t largely died a few years ago because of lack of universal enthusiasm and adoption.
The Internet has many inherent dangers that result simply from the way we’ve become used to using it. One prime example is the use of multiple and different logins and passwords, to access email, access bank and credit card accounts, shop online and so on. Apart from the inconvenience of having to create, manage, and regularly update multiple passwords, there are also many security risks associated with multiple passwords.
One of the goals of this new strategy is to reduce a user’s online activity to a single identity. As soon as you sign on to the Internet, or any participating Internet site or service, you should then be able to access everything from your email to your bank account, without having to log in each time.
Seems like a wonderful idea, but one with as many questions as answers. While the universal identity had been touted for years as a way to make the internet more secure and convenient, there are many who believe the whole idea is simply a marketing initiative being driven by big business as a way to make more money.
The basic premise is simply that the easier we make it for people to surf and shop, the more they’ll do it. It’s just human nature after all, and great for business. But there are other risks. Although the planned program will be voluntary, it will be managed by private businesses that have a less than stellar trust record. With a universal identity in place, these businesses will have access to even more personal surfing and shopping data.
For example, in the Business Week article, John Clippinger of the Law Lab at Harvard’s Berkman Center for Internet and Society in Cambridge, Massachusetts observed that “there’s going to be a huge bump and a huge increase in the amount and kind of data retailers are going to have.”
There are other risks apart from privacy abuses:
• Storing so much personal information in one massive database is a huge risk for consumers – a major breach is only a matter of when.
• If no password or PIN is involved, then any token device creates additional vulnerabilities. If the only identifier is a token or even a cell phone, what happens to your privacy if that device is lost or stolen? One expert described it as finding an internet ignition key.
• If a password or PIN are going to be used in conjunction with some kind of token, and if you’re going to offer consumers the opportunity of a single password for everything, how are we going to get over the problem of weak, predictable, and poorly protected passwords that we’ve never been able to solve yet?
• There’s an argument that this initiative is not being pushed because it’s a benefit for consumers, but as a way for big business to reduce their help desk costs associated with password resets, or at least reduce the cost of authentication.
• Keys to the kingdom – if a hacker is able to steal or spoof a user’s identity, and that identity is an all-access pass, the damage to the user could be enormous.
I think the challenges of using and protecting multiple online identities must be addressed, and there’s certainly nothing wrong with the White House turning to private industry and ecommerce experts for help. But as consumers we have a right and an obligation to kick the tires a few times before we buy into such a grand idea. And more than that, consumers should be included in the debate before any important decisions are made. If the proposers of the plan want consumers to buy into the need for more security, they need to be sold on it first.
But there is hope. For years, we as consumers have been able to easily identify ourselves to the ATMs of banks we have absolutely no relationships with, and instantly walk away with a wad of cash. A simple example of a safe, secure, and convenient universal identity. Sort of. As always, the devil will be in the details.
Read our recent interview on the topic of universal identity on Dark Reading.
Want to learn more about identity theft and fraud protection?
Keep informed about the latest threats to your safety. Join our Facebook group.