Are online ID cards the answer to forgotten passwords?
A consortium of tech heavyweights led by Google, Microsoft and eBay's PayPal think so. They have formed the ominous sounding Information Card Foundation to push for the introduction of an online ID card that will act as a substitute for the jumble of passwords we try to keep in our head. One industry-accepted card would also be all that was required at online shopping sites, the thinking goes, removing the hassle of filling in the same details every time you visit a new online merchant. Supporters even say it will crack down on identify theft and online fraud.
As Robert Blakeley, a research director at the Burton Group, one of the advocates of the plan, told The New York Times, with an online ID card “you don’t have to depend on a password, so there’s no phishing opportunity.”
Solving the vexing issue of managing multiple passwords and eliminating the requirement that web users reintroduce the same personal details on any site that requires registration has been in discussion for years. I recall in the early part of the decade predictions that computers would soon come equipped with fingerprint readers to identify users and do away with passwords and forms. As CNET's News.com points out, Microsoft recently introduced its own card policy to little effect.
The hope is that an industry standard will get an online ID card system off the ground. "We need to come together in a neutral body to continue to promote the adoption of this technology," Paul Trevithick, CEO of Parity and chairman of the ICF, told CNET. Don't bet on that sales pitch working in Britain.
Or alternatively, just switch to using the Opera browser, which has a built in "Magic Wand" that stores all your passwords and name/address info for you.
I don't like using the same ID for every site, that's just bad security and bad privacy. It's much better to use a different ID on every site and get the Magic Wand to store it for me.
Posted by: Gentleman Surfer | Jun 24, 2008 3:49:25 PM
Great initiative--hopefully the principals will overcome the 'not invented here mindset' and be responsive to outreaches made by CT-based KeyID, which has already developed a broad sweep approach and formidable solution (patent-pending) to the issues that this group is looking to address (open protocol, "5 factor security", seamlessly integrates with current internet access devices, and aggregation of passwords. Simplistic approach, but one developed by a relative outsider... see http://www.keyid.com
Posted by: Jay Berkman | Jun 24, 2008 4:00:25 PM
Great, another card, another mass of information stored.
Isn't it that sites such as Amazon generate a user profile and offer user specific advertisment?
An online ID card would centralise this and simplify this.
So if I buy a BlackBerry (which I did) in Germany, I don't want to see all sort of BlackBerry advertisments appearing on sites auch as Amazon.
In fact I rarely buy online, and if I do, I pay the postman.
All this will do is allow companies (or a government) to monitor people.
And who is to keep you from writing all the passwords down on a good old piece of paper?
That's reasonably theftproof.
An overall ID card is only going to alienate people, thus despite the advantages it might bring I doubt that people would be too happy.
An ID card based on the above mentioned fingerprint reader which is site-specific would make more sense to me.
And probably also to a lot of other people.
And even then, a lot of people are unhappy with the idea of storing fingerprints on a passport.
And with all these calls to "protect your identity online", a centralised database would make little sense.
a) You always get some... (think what you want), who'll move some information, leave it somewhere, posts it or whatever, resulting in a security breach. Especially as a centralised ID card would be a massive database which requires a lot of staff.
b) It will be a prime target for hacker.
If government computers are hacked into, how are they going to protect this database??
are they going to disconnect it from the interenet? That would defy its purpose.
Personally I woulnd't want one, I wouldn't use one.
But it the same as with Vista..I don't like it, but I will have to use it on a new computer...
Another step closer to total surveillance...forced upon people.
(If it comes into effect)
Posted by: Dcm | Jun 25, 2008 10:26:24 AM
So many people do not have fingerprints, metal workers, people who work with acids and builders. Also copying fingerprints is not impossible. Try again .
Posted by: Terry Murphy | Jun 26, 2008 10:55:06 AM
All major browsers can store passwords for you, not just Opera. But if malware makes it on your system, where's the first place they'll look for "good stuff?" Yeah, right there. I don't trust any browser or plug-in or well-known application with that info. And what do you do if you're on a different computer? There are web sites that offer to manage this info for you, too, but I trust someone else to store it even less. I have my own storage mechanism and I can carry it on a usb memory stick. A pain, but it's secure and portable.
No, some universal authenticator is a good direction to try. Of course, the single point of failure it could suffer if you were to lose your card is scary. And it won't eliminate phishing. It will change what they phish for (how do you get a new card if you lose yours? You'll have to know something... they'll phish for that).
But we have to move forward, usernames and passwords are insufficient security and do not scale well to hundreds of web sites.
Posted by: King | Jun 26, 2008 4:22:06 PM
I do not want to use an online ID card because I do not trust that the information on that online ID is safe regardless of any assurance to the contrary. Any information can be accessed.
Furthermore the issue of privacy and big brother is another concern to discourage me from using such ID system.
Posted by: Chris | Jun 26, 2008 10:07:00 PM
I dont think the fingerprint idea is good. There are always going to be times when, say, someone will need to use their partner's account to buy something urgent, but if their partner is not present to use their thumb it wont be possible.
I tend to have just a few passwords for different levels of security. An everyday one for comments sections of websites/forums etc, another for higher level things like maybe web email etc etc. It's proved pretty effective
Posted by: Andy | Jun 27, 2008 12:29:08 PM
This is probably one of the worst ideas I have heard in a while. What happens when people figure out how to dupe the verification systems with simulated versions of an ID card.
Phishing could also easily be adapted to capture ID cards rather than personal info.
Posted by: Alistair | Jun 27, 2008 2:07:50 PM
This ID card idea is great. All the information the merchant would need would be the delivery address with the card provider handling your personally identifiable info in one place. It would ensure that your identity can't be stolen.
At the momment anyone who uses there credit card details to order online has there details on hundreds if not thousands of unsecured servers, email accounts etc across the world.
Finger print data can easily be copied but I know that smart card technology is very secure and it is impossible to fake them.
At the momment you are often asked for your Date of birth ( never give the correct one unless it is for a credit card or similar), security questions etc.
It is the same as leaving your name, address, phone number, date of birth credit card number , credit card security number ( on the back !) every time you buy petrol for your car, pay for a meal, buy a book, do the weekly shopping.
writing passwords on a piece of paper doesn't stop them being stolen when you type them into the computer.
Posted by: Galway | Jun 29, 2008 8:55:19 AM
What would happen if the card were stolen?
Posted by: | Jul 4, 2008 10:31:30 AM