Most people identify themselves online by juggling a long list of user names and passwords. Most industry experts agree that this approach is hopelessly broken.
A few technologies have been invented to address the problem of online account overload, for example, the open standard OpenID, which lets people use a single credential to log in to multiple sites. Companies are also vying to fill the gap–Facebook, for instance, offers technology that lets people log into other Web sites using their Facebook credentials.
Now the U.S. government is hoping to step in and improve the state of online identity management. In a draft recently posted online, the Department of Homeland Security outlined a possible National Strategy for Trusted Identities in Cyberspace–a document that suggests how the government could facilitate a system for managing identities. The system could be used not only by government sites such as the Internal Revenue Service, but by other websites, including commercial ones.
The draft document does not suggest creating a national ID card or government-mandated Internet identity system. Instead it proposes a way to combine existing online identity technologies to create a simpler, more privacy-conscious identity system, without the government taking control of the whole thing.
The document asserts that an integrated online identity system should be secure, compatible with other online identity systems, privacy-enhancing, and voluntary, as well as cost-effective and easy to use. The draft suggests starting with accounts that users might already have, like those from Google or Facebook. Providers would be certified as reliable and secure. Then users could choose a company or organization to sign up with, and their credentials would be in a standard format that would be widely accepted.
The draft document gives several examples of how a new system might look. For example, it suggests that a user might have an identification technology connected to her cell phone. That system could be used to log onto a government site and access tax services, for example. This would prevent the user from having to create a new password for that site, and it would save the government from having to maintain any of the authentication infrastructure.
Or, the draft suggests, a user might use credentials stored on his computer to log into an online pharmacy. In this case, the information would confirm that he was over 18 and that his prescription was legitimate, but it wouldn’t hand over any additional information.
Kaliya Hamlin, an independent industry expert who is the producer of the Internet Identity Workshop, an industry forum for developing and discussing identity management technologies, says the draft document does a good job of identifying several key problems with online identity today. For example, it discusses at some length the usability problems of current systems, such as the need for “secret questions” such as mother’s maiden name that ultimately compromise security. Hamlin adds that many of the scenarios described in the document can be addressed with existing standards, as the plan suggests. For example, a standard called information cards could handle the case of the online pharmacy. Information cards are a standard for digital identity data managed on software installed on a PC. They are designed to confirm particular attributes of a user without revealing further specifics.
Hamlin plans to organize an identity strategy workshop in September in Washington, DC, where industry experts will be able to discuss the government’s proposals.
Paul Nicholas, director of global security strategy and diplomacy for Microsoft’s trustworthy computing group, said in a statement that the draft “represents significant progress to help improve the ability to identify and authenticate the organizations, individuals, and underlying infrastructure involved in an online transaction.”
However, some experts worry that it will be hard to communicate and achieve the vision outlined in the draft. “I just see complications in terms of mainstream adoption and pushing this out to everyday use,” says Fred Stutzman, cofounder of a social Web identity management system called ClaimID. Though he believes there are good technologies out there for solving identity management problems, he also foresees trouble making them easy enough to use.
Hamlin says that in its current form, the draft is accessible to industry insiders, but its message is not reaching the general public. The draft as it stands is vague, she says, and needs to communicate a clearer sense of how government involvement could help.
Hamlin is encouraged by suggestions in the draft that the government could enact laws that would set standards for identity management systems and liability rules for companies offering authentication services. As it stands, identification methods are often stretched beyond the purpose for which they were intended, leaving companies reluctant to develop systems and interconnect with other identity systems. The Department of Homeland Security is taking comments on the draft through July 19. The U.S. government plans to finalize the draft in the fall.