Tech giants team for online ID cards
Passwords are so passé
A group of software and online payment companies are teaming up to find a better way than passwords to protect, and prove, your identity online.
Problems with passwords are well known - people require ever more passwords which means they either get forgotten, or people use the same word for several different services which is a security risk. The new group will seek to find open standards to make it easier to prove your identity online without using dozens of passwords and usernames.
Equifax, Google, Microsoft, Novell, Oracle and PayPal will work together to create "Information Cards" - online cards like those in your wallet. Different cards can contain different levels of information and can be used to log in to different websites instead of using a username and password. Some may contain just a user name and password, others address information.
Other information - such as whether or not the browser is over 21 years old - could also be verified by the website by sending a query to the independent third party. In theory this should be safer - your information will not have to be stored by several different websites.
The group hopes to extend its reach beyond consumers to identifying users of enterprise networks too.
The Information Card Foundation has applied be a working group of Identity Commons which is also trying to create an open, independent identity layer for the internet.
The difficulty for such groups is convincing the market that it is truly independent, and not just promoting the agenda of its most powerful members. ®
Portable e-id card
How about a steg encrypted usb stick, each seperate set of data stored isolated from any other, with a certificate store to give access to data sets to specific 'users'.
You could store bank details, website passwords, medical records, all hidden from each other.
Logging into a website: when you register, you save their certificate as having access to it's datastore. When logging in, you enter your password into the usbstick, the website provides it's certificate check and the stick returns the data if it matches.
Paying in a shop: the seller sends you thier certificate, you verify it and add them as a single transaction 'user'. the payment request goes to the bank, the bank requests confirmation from the stick, the stick confirms and deletes the access.
The data sets could be actual data, or key generator algorithms. No need for centrailsed store of anything except certificate chains. Not saying it couldn't be hacked if you had physical access to it, but if you lost it, you could revoke your certificate and so prevent access to any of the data sets when the stick next tries to access something.
Long enough keys and encryption between the stick and the certificate store would make attacking it pretty tricky. Storing the access certificates in memory that dies if the case is tampered with would leave a patternless jumble of data.
What's new about this? What's good about this?
Years ago (in NL) there was a system called "iPay with SET", which meant that payments were not made to any old site, but rather through an established trust relationship - your bank. The bank authorised the payment request and approved the transaction, standing guarantor to the website. You never needed to enter banking / payment info into a etailer's site. I can't remember whether the bank sent confirmation of the registered address or not.
By comparison, Verified by Visa or this new approach seem like a watered-down system.
How many people do you know who do NOT use ONE password for EVERYTHING, and write it down so they don't forget it? Non-techys, that is...
I've worked for companies that had laptops with hard-disk encyrption, 30-day lifetime passwords using (so-called) strong encryption (upper & lowercase, numbers, punctuation; 3-out-of-4, minimum length etc) and the 'random' number-generating keyfob/card thingies with a 4-6 character personally-generated PIN; when taking delivery, all Users had to sign to say they would not write their passsword or keyfob PIN down etc just like normal.
So care to guess what we found in the laptop case practically every time we had to visit one of these Users, or needed to take a laptop away for any reason? You probably guessed right; one fool even had the bit of paper with his keyfob PIN and the post-it with his password (and the last half-dozen!) and PIN tucked inside the laptop sitting on the keyboard, and one half-witted son of a half-blind monkey and a drunken prostitute (I swear he could not have been a real human being, he was so completely stupid!) had taped it to the front of the laptop... together with the HDD boot decryption key.
Management seem to be the worst (too busy fsck'ing over the poor bastards at the bottom of the corporate food chain or plotting their next expense account "lunch" to bother with such petty trivialites as keeping the company data secure), with techy types being the least likely to do it (although there were some... but it tended to be the youngest ones rather than the grizzled old hacks who'd been there for years)...
Thar be data theives ahead, me boy - and not all of us wear the same flag...