Call it a driver’s license for the Internet superhighway: Recent announcements from the US Department of Commerce indicate the agency is putting its final touches on a single sign-on method that -- poof! -- will free us from the clutter of trying to keep track of dozens of Website passwords (or worse, using the same simple password everywhere).
Called the National Strategy for Trusted Identities in Cyberspace (or NSTIC in Beltway alphabet soup), this Commerce Dept. initiative could require users to log in using a digital token or a smartcard or perhaps a fingerprint reader. A final draft is due out imminently.
The NSTIC would do away with the dozens of passwords we use at the many sites we visit in a day.
On the plus side, such a system would call a halt to the time wasted on lost password retrieval -- the single biggest helpdesk cost, as a Homeland Security counselor told Bloomberg News. The other “plus” is that it almost certainly would reduce the billions of dollars lost to password hackers.
Sounds wonderful. And there is every reason to applaud this single sign-on technique -- except for two things: It won’t work; and if it did, you would have to trust big government to stay benign as it tracks your every online step. As for the latter, ask the citizens of Egypt, Tunisia, China, Iran, and other countries that closely monitor their citizens’ Internet usage (or block it in whole or part).
“The Commerce Department proposal would facilitate government tracking of the populace -- that’s why this system is dangerous,” says Paul Kocher, president and chief scientist at security research firm Cryptography Research . “If it were successful, it would be frightening.”
But, Kocher says, look at the bright side: “The reality is that this will probably go nowhere.”
“It will be tough for Commerce’s initiative to get off the ground,” agrees Eric Olden, CEO of Symplified Inc. , a vendor of corporate password solutions.
Think for an instant about the monumental technological challenges involved in creating a single sign-on that can work across a multitude of devices -- everything from cheap feature phones through tablets and desktop computers, accessing the Internet via 3G networks, WiFi, broadband, even dialup. This isn’t a problem that could ever be solved with a quick governmental wave, especially since the Internet is a global, multinational phenomenon. What the US Commerce Department decrees may, and probably will, carry scant weight in New Delhi, Beijing, Moscow, or any nations that almost surely want to deal their own cards.
Further, “No initiative will change human nature,” says Olden.
It’s a chicken-and-egg problem, according to Kocher. “No Website will support this until it has lots of users, and users won’t use it until lots of Websites have it.”
But don’t think this writes RIP to single sign-on. Quite the contrary. We are edging toward a universal sign-on regardless. And Commerce has nothing whatsoever to do with it.
Olden suggests building a single sign-on from a handful of IDs that are in wide use. Think Facebook, Gmail, perhaps Yahoo. Facebook alone is emerging as a kind of de facto single sign-on with 500 million users, suggests Olden.
So scratch Commerce’s NSTIC, and find ways to lace together the passwords we already use. “What works is not reinventing the wheel when you don’t have to. We already have a lot of what’s needed to solve the problem. We just need to find ways to tie them together.”
Olden’s idea is to knit a handful of widely used IDs into a coherent fabric that, at a glance, uniquely identifies individuals. Call it a social Web identity 2.0. The pieces are in place, they just need assembly; and, suggests Olden, people like him already are hot on this trail.
He adds: “How many people will go get a Commerce Department ID? What’s the compelling reason? Use more of what you already use.”
The solution just may be that simple.
— Robert McGarvey is a widely published author and expert on social media.
Totally agree. We all need to get smarter about how this is really going to work. If you want to meet folks who want more user-control for you over your information, you should attend this event next Monday in San Francisco. http://idcolab.eventbrite.com/
Check it out. A lot of smart people are actually convincing the government to DECENTRALIZE identity.
I know it seems oxymoronic that the goverment would help us have more freedom, but the National Strategy for Trusted Identities in Cyberspace is about a DECENTRALIZED system.
Sure, plenty of powerful lobbyists coerce the government into doing fascist things. But this is not one of them. Check it out.
"Honestly, when has the government been involved with a large scale project that was actually successful?" The Interstate Highway System comes to mind to pick one....
This effort is similar in structure. We need an infrastructure to solve this problem. This is NOT about a centralized system. Think how much FREEDOM the Interstate gives you! Before we had roads, we could only find girlfriends that were a day's horse ride away. Welcome to the 21st century. It's way cool.
NSTIC is not about SSO, or centralized identity management, unless YOU choose that for yourself. It is about standards so I don't need passwords, and about allowing companies I choose to back my claims so the merchant/website knows I am real, not a 'bot, etc. This is actually about giving each of us MORE freedom to choose and represent ourselves in a more abstract way. How does WinesOnline know JoeSixPack123 is good for the money? Because Joe's bank just sent an authorized encrypted token to the merchant. Joe said ship it FedEx to this number (FedEx knows Joe's address). And Equifax told WinesOnline that JoeSixPack123 is over 21 -- you don't need to know Joe's real age, just that s/he's legal and verified in the claims Joe just made.
It is clear that many readers of this thread have little knowledge of NSTIC or what is really being proposed. The reality (as painfully experienced by registering to leave this comment) is that too much personal information is now required by each data silo, it is guarded by a password which is awkward, inefficient, and lousy protection, and the complexity and diverstiy required to wield trusted verified claims is hindering commerce today.
What NSTIC addresses is not 'government issued internet driver's licenses' but government-endorsement of a verifiable ecosystem of certified identity providers to back each person's ability to wield trusted claims appropriate for the internet digital transaction at hand.
This is a hard problem, but it has been solved multiple times in a variety of ways, unfortunately from the point of view of guarding each data silo, not from the point of view of the consumer/user. We each need choice of how we want to present ourselves, and who we want to vouch for us. We need agreement on authentication protocols to allow verifiable claims. From the merchant's view, they don't need your credentials, they just want to make sure they are able to do commerce profitably. A good way to think about this is we do need government endorsement of traffic lights, which side of the road to drive on, etc. No metaphor is perfect, but getting the rules of the road established to enable commerce is exactly what the Dept of Commerce should be doing, and is with NSTIC. A single driver's license or centralized repository is NOT what this is about. That method has been tried and has failed multiple times. A better analogy is a digital wallet created by each user that contains claims backed by one or more identity providers that both a website and a user trust for accuracy and context.
Here are some links to learn more about how NSTIC is actually a step in the right direction, founded on principles promoted by user-driven identity scientists for years.
Why we shouldn't freak out about NSTIC http://bit.ly/fClTpf
Biz Week: Goodbye Passwords http://bit.ly/fOYfn8
FYI, I am a businessman and citizen who values my privacy, and expects to increase online commerce by standards that keep my information under my control while ensuring vendors can grow their business and cut the amount of information they need to store about me, lowering their liability, security risks and overhead. NSTIC is a good initiative and long overdue.
Thanks for the blog and addressing this latest attempt by the federal government to infringe upon our freedoms. Though the government's desire for SSO is alarming, what bothered me the most from your story was the statement we should understand that this will probably go no where.
The reason is that this is just more time and money spent on an idea or initiative that has no legs. I really wish that ideas like this would be required to go through a 'common sense/constitutional committee before they can spend money and time that can't be recovered. This would force congress and the administration to only pursue legislation and initiatives that could help cybersecurity and the American people.
Creating an identity management solution for the public, run by the government has potential disaster written all over it. Honestly, when has the government been involved with a large scale project that was actually successful?
I remember reading a few weeks back that the government were not the one's that were going to be hosting the solution, and were only going to be drafting a bill as to what they deemed the public needed. The next step was to set the approved bill out to bid. That could all have been speculation, though.
I for one don't see the absolute need to rush into this project with so many other blatant security issues at hand. I'm aware that there are numerous password stealing trojans out there that are wiping out bank accounts and stealing credentials to all types of sites, but I think the government should clean up there house first before trying to clean ours. Lets lock down the data leakage, vulnerable web sites, and goodness knows what lurking on the government networks before you start forcing the people to use a fingerprint reader on their Windows 98 workstation.
Why are they doing this? To save helpdesk calls and eliminate head count? I can't see that being a real reason. Plus, who is going to go out and purchase one of the form factor devices out of there own pocket? They're going to have to give them away or give a tax break for the normal person to even try to implement these, and when they do you can bet on a few calls about them not working right and there goes the helpdesk savings!!
I mean just the adoption of websites alone to make changes to implement this is going to be a huge undertaking. Seriously, Facebook just came out with a HTTPS login last week and you think you're going to get them to use biometrics or tokens to authenticate? Good luck.
We don't need the government's "help" to remember our passwords, thank you.
This sounds like a free service from the Total information Awareness branch of the National inSecurity Agency.
What really bothers me, though, is someone was paid a wage by our government to propose yet more malicious nonsense as this, and the person who created that job still has their job. When we hear such horrible nonsense as this (re)-emerge from the government, heads should roll - the spokespeople first, then their superiors. It's offensive to have to rebut such proposals as if their offer was not venal and viciously intended.
I suppose they'll guarantee security? Hey, how about staking the government to 100% of any consequential damages for any information leakage? If they'd offer to pay megabucks when the INEVITABLE leakage occurs ... that might be as inviting as playing the lottery. Just don't let them keep the passwords to anything of ACTUAL importance - of course!
==
They just keep offering and offering things to abjure our privacy and security, hoping one day people will fall for something. Let us find a way to eliminate their job position before they finally manage to win.
Same problem with "Cloud". GET WITH IT: the theme now is
I share your view, bvice. I don't think the government can get a system that aligns all components to make a single sign-on work, then there is the issue of their ability to maintain, upgrade, and make usable changes for consumers. It just is not likely to work.
I don't like the idea of the government managing my access to the internet, nor do I like the idea of Facebook being my navigator. I don't think a one-size fits all is going to work.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Businesses are cutting the landline tether surprisingly quickly.
"The rise of the cellphone-only worker is happening at lightning speed," wrote David Cameron, president of the IT services firm Rhode Island-based Conduit Systems, in an email.
The drumbeats are loud. Google, reports filter out of Asia, is preparing to manufacture its own Chromebook, to be branded Google and/or Nexus.
The blunt question: Is this dumb or smart on the part of the Mountain View, Calif.-based company?
Hurricane Sandy -- one of the most expensive storms ever, causing an estimated $50 billion in damages -- may have devastated New Jersey and parts of New York. However, it also may turn into the poster child for the why of cloud-based disaster recovery and business continuity services, according to providers, and financial institutions are among the companies most likely to take the plunge.
Call this the ultimate bar brawler question among telephony geeks: Is Skype business-grade quality, or is it best used for calling the folks back in County Donegal on the odd Sunday for free? (See: It's Too Soon to Hang Up on Skype.)
Businesses attempting to stuff the ballot box on Yelp with paid-for favorable reviews will feel the pain of full public disclosure and humiliation. In a blog last week, Yelp made it plain it intended to root out and destroy businesses that sought to buy positive scores.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
Our online communications and privacy are being threatened by governments and corporations. Eben Moglen believes it's time for a People's Internet, made possible by "Freedom Boxes."
WikiLeaks' founder says that Facebook is an instrument for government spying. Whether that's true or not, we're sharing too much, and we’re on the edge of compromising the notion of identity, and with it of privacy and commercial protection.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Companies are still getting their feet wet with social networking and what employees should and shouldn't broadcast. But they don't always involve HR and PR. Here's why they should, and what they risk when they don't.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
