Managing our identities in this digital world with an ever growing number of accounts gets to be complicated. I have accounts at work, to do shopping, banking, for clubs I belong to, and for fun. Each place has their own rules about what a user name should be and often the one I want is already taken so I end up with something that is harder to remember. No two accounts have the same account username. Then password rules vary from site to site as well. Some require lower case, upper case, number, and special character. Some will not let you use special characters or require all numbers (pins). Many people try to simplify their life by either using a central data store for this information like Microsoft 's Passport system or on a device like Microsoft XP that has credential management software to save username passwords for web based accounts or a cellphone like my i-Phone that will remember username and passwords for email accounts. Each of these solutions have their own problems and do not really address the real problem of identity and access through some common identity. In the physical world to gain access to resources a person shows either a state issued drivers license or some other government issued picture ID like a Passport or military ID. This could be to get a loan, get a controlled substance like alcohol, use a credit card to purchase products, gain access to some buildings, or get checked out by your local police department. If things are really serious like getting employed, getting a passport, or getting a handgun permit they ask for my birth certificate, my social security card, and depending on the case might also ask for a government issued picture ID (which by the way only required the birth certificate and social security card to get it issued). In all cases this identity is a single identity, yourself.


Most of current identity and access problems in the digital world are centered around history, virtualization of identity, current configuration of equipment, and physical distance from user to location of requested services. So let's look at each one of these. As computers evolved the need for access control beyond just physical access to a room became quite apparent as terminals started to become a common access point. Think about the main frame days when many operators would access a mainframe system from many locations within a building through something like an IBM 3270 terminal. This device was a link to the mainframe and smart cards were not invented yet, biometric readers would have been very expensive, not very good, and not tied into IT yet, and even mag-tape cards and readers were not yet mainstream. So how to control access? We create a username and password application that controls access to the system and require the use of this before access to the system is granted. It was simple and worked. This brings us to our next issue virtualization fo the identity. Someone does not physically go through the network to identify themselves. So the username became the virtual form of someone's identity. This creates a whole new set of problems in regard to knowing who is really on a system. How do I verify that the username is only used by the user it was given too? This is the cornerstone of the digital identity problem. In the early days this was solved by adding the password that only the user was to know. As we know this no longer meets the needs of our current use of technology. So what do I mean by current configuration of equipment? Well we keep carrying forward our old method of access with username and password; however, we have very inexpensive smart card readers and biometric readers that could be built into systems. In some cases biometric readers have been added to some laptops and keyboards to add this feature. The issue is that A. it is not wide spread enough for public facing systems to require it. B. Some of those system have been proven to be easily fooled or to not work with some users so consumer confidence in the technology is not high enough to push the technology on everyone. C. The whole problem of who owns the biometric data, the user or the site, that is providing the service has not been addressed for a global market. D. Finally standards in this space are not complete enough for all vendors to implement a biometric solution in a way that it will work with other vendors. This is much like the problem of networking in the early days before TCP/IP become king. Based on this it is much easer to continue using a username and password because no matter what the device is if it can connect to the system it will have the ability to enter data at the prompt for username and password. Smart card readers have some of the same issues as biometrics. Not all smart cards are the same or can be read by the same card readers. Not everyone uses the same format for putting data on the card so finding the data that a system needs is complex at best and in many cases would be cryptic from one system to the next. So again standards and standard formats are required for this type of technology to move into mainstream consumer identity management. There are standards out there; however, they would need to be adopted to a level that they are what vendors produce so they can be compatible. And finally what I mean in this last ?location of required services? is if I want a Yahoo account I get it from the comfort of my home I do not have to travel to yahoo head quarters in Sunnyvale CA to prove who I am. If the account is critical enough one would be obligated to prove who they are in person before getting an account. This still does not solve the problem of a single identity that proves who I am with possibly many persona for that identity. As a side note there will always be a case for fake identities like spies, undercover police officers, and testers of systems to name a few.

The goal for the average consumer would be to have one identity with multiple authentication strengths for access to different resources. The identity would need the ability to be decoupled from an individual if the identity was compromised (like identity theft) and would need to be something that could be used across networks from many different types of devices. I would want my bank to accept my identity from my PC at home, my workstation at work, or my cellphone on the road. I do not believe that any current technology is ready to fill this role yet. The simplicity of the username and password make it easily implemented and very flexible for different devices and applications. Many security experts will tell you that username and password is not secure enough for many systems. The fact that human nature is to make things easy can also makes it easy to figure out a username or a password. It may not be hard to figure out that fluffy is the password when fluffy is pasted all over the cube. Also with the power of computers today, it is not very difficult to brute force attack password to crack them. Why has the computer industry not solved this problem yet? Is it just too hard? I do not think so. The issue is the consumer, lack of standards, and additional cost. Currently the consumer is not demanding change. The de-facto standard is username and password so it is built into systems and applications. A number of other authentication methods have been tried in pockets of the industry with varying degrees of success. There are a number of solutions being tried for example cellphones in some countries are gaining momentum as a replacement for the charge card or ATM card. There are proponents of government issued Smart Cards for this role. Others favor a purchased and vetted ID card like Clear was for travel. There was a big push by some for PKI to be the identity and authentication system of the future. Companies like Verisign built a whole infrastructure around it. There are some marketeers pushing USB devices that could fill this role. There are three key messages here: first, we need to move to a single identity after all, they all trace back to you. This identity needs to support multiple personas for different environments. I might want to be one personas in ?Second Life?, another on ?FaceBook?, an even a different one on ?Yahoo?, and then something different at work. The second, is we need some method of identification for individuals that has a minimum medium level of assurance. There also needs to be a standard method of identifying users across multiple devices and applications. This method needs to be able to support a two and possibly a three factor authentication with multiple levels of security based on systems being accessed. I might be upset that someone was able to get into my facebook account; however, I have much more at risk if someone gets into my bank account or my accounts at work. So ease of use might vary based on risk requirements. And finally it must be easy to use, support the majority of the population, and be cheap to implement.

I believe it is critical for the computer industry and government to work on this issue. We are putting more and more critical data out on the Internet. We are creating methods for information sharing that are unprecedented in our known history. Laws are struggling to keep up with this globally changing environment of information and access. Bad things will happen to good people if we do not solve this problem.





More...