In today’s article, Intersections’ Consumer Security Adviser Neal O'Farrell updates us on his thoughts about a government proposal that would create a single, “universal identity” for people online. Is it a good idea? Read Neal’s post to find out.
After a little over a month of discussion and feedback, the White House just formally published its strategy as a possible first step towards one of the biggest and boldest initiatives in national identity protection.
It's called the National Strategy for Trusted Identities in Cyberspace (NSTIC) and claims as its goal to "better protect consumers from fraud and identity theft, enhance individuals' privacy, and foster economic growth" and to "make online transactions more trustworthy, thereby giving businesses and consumers more confidence in conducting business online."
The idea behind the strategy is very simple. Instead of requiring consumers to have separate logins and passwords for every account they own and use, and thereby exposing themselves to risk every time they use each separate identity, users would have one single online identity — a sort of Internet passport, which would work with all participating businesses.
The program would not be mandatory and consumers would have to opt in. And although being promoted by the government, it would actually be run by a partnership of private businesses.
Consumers who join the program would be offered a single credential or means of identification , such as a smart card or token, and would then be able to securely log into any website they choose, using that single credential, and without the need for a separate password each time.
To avoid the risk of creating one massive database of credentials that could create havoc if hacked, consumers will be able to choose a variety of identification devices from a variety of vendors, thus providing a much lower risk of a devastating attack on this newly created secure environment.
The hope is that because consumers will have to provide less information, and less often, not only will they be less exposed to identity theft and fraud, they will also be less exposed to privacy breaches. Currently, most consumers have to provide a wealth of personal information when signing up for online services or merchants, and it's becoming increasingly tough for these merchants to protect all this information from hackers, data thieves, and simple leaks.
The less information these merchants and financial institutions have to request and store, the fewer chances of an embarrassing data breach.
Apart from the benefits to consumers, one of the biggest beneficiaries will be small business. Small businesses have to work very hard to build trust with customers, especially when it comes to online business and transactions. But they often don't have the time, skills, or resources to focus on security the way they should.
This new ecosystem should be able to shift the responsibility for security to those tasked with managing the interchange of consumer credentials. This in turn will allow smaller businesses to focus their limited resources on building and managing their businesses and serving their customers, and still be confident that any interaction with a customer online is a safe and secure one.
Personally I'm beginning to warm to the idea, at least in principle. The devil is in the detail and much of these very fine details still have to be worked out. But anything that makes it easier for consumers to identify themselves securely, reduces the number of logins and credentials they have to use, and reduces the amount of information they need to provide to businesses, can only be a good thing.
Read our recent interview on the topic of universal identity on Dark Reading.