Will a standardized system for verifying Web identity ever catch on?


People involved in an online government identity system say passwords could be on their way out.
People involved in an online government identity system say passwords could be on their way out.
STORY HIGHLIGHTS
  • Obama administration is proposing a standardized login system for the Web
  • People would choose Facebook, Google or another site as their provider
  • The identity-verification system would then work on any website
  • Because the government doesn't plan to write a law, this is a policy experiment
My neighbor recently discovered a four-digit passcode that unlocks the front doors to our apartment building.
He shared the code with me, as well as with his girlfriend, buddies and a few other neighbors. I shared it with some people, and so did others. Within a few weeks, the building's security system was buzzing constantly for people who didn't actually have one of the dozen or so physical keys given to tenants.
My apartment building's security is not all that different from the password-protected login system that forms a chain-link fence around Facebook, Google, iTunes or any other Internet service. Passwords are often shared among family, friends and spouses, and people
typically use the same passwords for everything. Many experts say passwords are cybersecurity's weak link.
To minimize identity theft, the Obama administration is urging Internet companies to agree upon and adopt a standard, reliable identity-verification system that people can use for any website. Each person would choose one company, perhaps their e-mail service provider, to handle credentials for sensitive personal or financial information on other sites.
In this hypothetical digital world, someone could buy books on Amazon.com using a Google account, while another person could sign up for a social network using a PayPal account. Because the U.S. government is involved, Americans might be able to download their tax forms by signing into, say, their Microsoft accounts.
President Obama introduced the initiative in spring 2011, and development of the technology seems to be moving at the speed of Washington, not Silicon Valley. Almost a year later, there's no consensus among Web companies and government about what exactly this should look like and when we should expect to see it.
Some websites have already embraced an idea similar to what is being proposed, without the government giving them a push. For example, users of TripIt, a travel organizer from Concur Technologies, can log in using their Facebook, Google or Yahoo accounts.
But this typically involves small utilities piggybacking on the networks of larger companies. The biggest Internet players, such as Amazon, Apple, Facebook and Google, do not play well with each other.
Instead, Facebook and Google boast about how quickly they are convincing users to volunteer their personal information in setting up profiles. Apple regularly mentions how many credit cards its iTunes service has on file -- at last count, more than 225 million.
People involved in the government initiative said the major players have informally expressed interest. But a Google spokesman declined to make executives available for comment for this story. A Facebook spokesman declined to comment and a PayPal spokeswoman didn't respond to a request for comment.
These companies may view their respective platforms as a competitive advantage, said Don Thibeau, the executive chairman for the OpenID Foundation. His organization has been trying to provide a sort of universal login system that includes Google and Yahoo, but some users find the system's row of tiny buttons confusing. OpenID will launch a simplified, single-button alternative called Connect in the next few months, Thibeau said.
Thibeau said he believes technology companies may eventually realize the limits of their identity silos. Similar to how people can now send text messages to friends on different cellular networks, or how a Mac user can open a Microsoft Word file, Internet login systems should one day standardize, he said.
"This notion of standards, as boring as it is, is really the plumbing of the Internet economy," Thibeau said. "It turns out that you can only go so far with business and Internet services until you come up with standards. Standards build markets. Standards help the pie grow bigger."
Internet giants have not been eager to unite on their own. For various reasons, having the government involved either provides the best possibility for bringing rivals together or will poison the well, according to people involved. Companies and citizens alike can sometimes have an allergic reaction to government intervention, especially when privacy is involved.
When President Obama announced last year that he was handing over the keys for an online identity initiative to the U.S. Commerce Department, talk of an "online driver's license" ensued. Observers say that's not an apt analogy because the identity system, as proposed, wouldn't be required for using the Web, nor would it be issued by the government. But the idea of a government-controlled database spooked many people.
What Obama's proposal describes is a series of security problems on the Internet, such as insecure passwords and people handing over sensitive data to dozens of companies, as well as some vague suggestions for how to solve them.
"It's not a piece of legislation," said Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology, an Internet privacy group in Washington. "Instead, it's the federal government saying here is our vision of how to improve identity on the Internet."
A year ago, Jeremy Grant inherited the project. He is a senior executive for the Commerce Department's National Institute of Standards and Technology, and he is playing government liaison to tech companies and privacy advocates as part of the National Strategy for Trusted Identities in Cyberspace, or NSTIC.
The government's prospective standard for online identity is not expected to result in a law, as long as companies can come to an agreement among themselves. The system could be regulated by the Federal Trade Commission, said people involved in the planning.
"The way that Washington tends to affect change is to either pass a law or to pass a regulation to make something happen," Grant said. "NSTIC is a bit of a policy experiment."
After failed government experiments, the United States has observed that an online ID has to be driven by companies, not countries, and has to keep Internet anonymity intact, Grant said.
"We could, on paper, come up with what would be the perfect mousetrap, and no one would want to buy it," Grant said. "The federal government doesn't care if you're a dog [online] or not. Anonymity and pseudonymity have always been hallmarks of the Internet."
Bidding will begin this month on NSTIC pilot programs that should launch in the summer to demonstrate what an online identity framework could look like, Grant said. The government will carefully determine what safeguards will be implemented in the identification process and the punishments for violators, he said. Some sites could begin launching NSTIC login options in about two years, he said.
Others were not so optimistic.
Persuading every major Internet company and then every Web user to sign up will be a massive undertaking, said Brauer-Rieke, from the Center for Democracy and Technology. "The work of herding cats is just beginning," he said.
Because this is such an unusual policy experiment, the government cannot point to a similar program in the past that has been successful, said Thibeau, who is also the chairman of the Open Identity Exchange, which counts AT&T, Google, PayPal and Verizon among its members. Also, other countries may object to an initiative led by the United States, he said.
What this system will look like remains undefined. People may have to type in a temporary password received via text message, answer quiz questions or identify friends in photographs, according to people involved in the initiative. NSTIC could even require a hardware dongle that users plug into their computers, though that's unlikely as people increasingly move to mobile devices that don't have standard inputs, they said.
Just about everyone involved is in agreement that today's model of people picking their own passwords will not survive much longer.
"The greatest threat to security and the greatest threat to privacy are passwords," Thibeau said. "Passwords are really yesterday's news."

Comments