Will we ever get a single online identity that we can use without registering countless login credentials against hundreds of sites? This is a problem that we have been wrestling with for years. And now, the US Government is stepping in.
The concept of a single online identity has always been a tough nut to crack. Many schemes have been tried such as
OpenID,
Kantara Interactive (formerly Project Liberty), and related authorisation schemes such as
OpenAuth. All have met with varying degrees of success, but we seem just as far away from solving the identity problem once and for all.
We wrestle with the disparity in identity systems every day. We find ourselves logging into many different online services during the course of a week, from email through to back-end corporate applications, and ecommerce services. These online services are proliferating, so that today, we find ourselves filing our taxes and even reserving library books online. For the most part, these sites don't recognise a common identity system. Users are forced to use different username/password combinations for each of them, which creates its own security issues.
These are issues that the US Government is currently wrestling with. It has launched a draft proposal for a single, trusted online identity, and is grappling with many questions as it thrashes out a model. In the document,
National Strategy for Trusted Identities in Cyberspace, it is considering, for example, the merits of having a 'system of systems' in which many private sector players develop identity management systems that support a common architecture. This stands in stark contrast to the idea of a single, government-issued ID to be used in all online transactions (which raises technical, as well as political, complications).
Even if they do recognise a common login system, in which the same stored login credentials are used by multiple sites, does this truly constitute a single identity online? What is an identity anyway?
A person is a complex mixture of characteristics and behaviours. We mean different things to different people. We could reasonably argue, for example, that a person might be perceived almost entirely differently depending on whether she is talking to her bank, her mother, or to a special interest group (especially if her membership of that group is sensitive, and perhaps secret, such as an addiction support group).
Ideally, an identity should be more than simply a user name and a password. It should be more complex, and should enable people to access services without giving away information that they do not need to divulge. For example, I might wish to grant access to a document to certain employees within a company. I may not need to know who exactly accessed the document, as long as my identity management system can verify that they are an employee of that company, in a particular department, and therefore qualify for access. This is one of many attributes that make up someone's identity, and could be exchanged without giving away more uniquely identifying credentials, such as the person's name. This is an example of where exchanging credentials or attributes with an application is more useful than simply authenticating someone's password.
The US Government already faces considerable political opposition from digital advocacy groups as it attempts to pull together a cohesive approach to online identity. Hopefully, as it works to consult with the public and refine the document, it might add to the growing set of contributions on this important subject.