Call it a driver’s license for the Internet superhighway: Recent announcements from the US Department of Commerce indicate the agency is putting its final touches on a single sign-on method that -- poof! -- will free us from the clutter of trying to keep track of dozens of Website passwords (or worse, using the same simple password everywhere).
Called the National Strategy for Trusted Identities in Cyberspace (or NSTIC in Beltway alphabet soup), this Commerce Dept. initiative could require users to log in using a digital token or a smartcard or perhaps a fingerprint reader. A final draft is due out imminently.
The NSTIC would do away with the dozens of passwords we use at the many sites we visit in a day.
On the plus side, such a system would call a halt to the time wasted on lost password retrieval -- the single biggest helpdesk cost, as a Homeland Security counselor told Bloomberg News. The other “plus” is that it almost certainly would reduce the billions of dollars lost to password hackers.
Sounds wonderful. And there is every reason to applaud this single sign-on technique -- except for two things: It won’t work; and if it did, you would have to trust big government to stay benign as it tracks your every online step. As for the latter, ask the citizens of Egypt, Tunisia, China, Iran, and other countries that closely monitor their citizens’ Internet usage (or block it in whole or part).
“The Commerce Department proposal would facilitate government tracking of the populace -- that’s why this system is dangerous,” says Paul Kocher, president and chief scientist at security research firm Cryptography Research . “If it were successful, it would be frightening.”
But, Kocher says, look at the bright side: “The reality is that this will probably go nowhere.”
“It will be tough for Commerce’s initiative to get off the ground,” agrees Eric Olden, CEO of Symplified Inc. , a vendor of corporate password solutions.
Think for an instant about the monumental technological challenges involved in creating a single sign-on that can work across a multitude of devices -- everything from cheap feature phones through tablets and desktop computers, accessing the Internet via 3G networks, WiFi, broadband, even dialup. This isn’t a problem that could ever be solved with a quick governmental wave, especially since the Internet is a global, multinational phenomenon. What the US Commerce Department decrees may, and probably will, carry scant weight in New Delhi, Beijing, Moscow, or any nations that almost surely want to deal their own cards.
Further, “No initiative will change human nature,” says Olden.
It’s a chicken-and-egg problem, according to Kocher. “No Website will support this until it has lots of users, and users won’t use it until lots of Websites have it.”
But don’t think this writes RIP to single sign-on. Quite the contrary. We are edging toward a universal sign-on regardless. And Commerce has nothing whatsoever to do with it.
Olden suggests building a single sign-on from a handful of IDs that are in wide use. Think Facebook, Gmail, perhaps Yahoo. Facebook alone is emerging as a kind of de facto single sign-on with 500 million users, suggests Olden.
So scratch Commerce’s NSTIC, and find ways to lace together the passwords we already use. “What works is not reinventing the wheel when you don’t have to. We already have a lot of what’s needed to solve the problem. We just need to find ways to tie them together.”
Olden’s idea is to knit a handful of widely used IDs into a coherent fabric that, at a glance, uniquely identifies individuals. Call it a social Web identity 2.0. The pieces are in place, they just need assembly; and, suggests Olden, people like him already are hot on this trail.
He adds: “How many people will go get a Commerce Department ID? What’s the compelling reason? Use more of what you already use.”
The solution just may be that simple.
— Robert McGarvey is a widely published author and expert on social media.