Identity++.
Whether you call it Identity 2.0 (watch the brilliant presentation here) or something else, a lot of smart people are discussing the future of digital identities.
They’ll probably solve it at some point. But not until they can get past the basic issue that on the Internet, looking at something is the same as possessing it.
As the wonderfully named Dick Hardt puts it, you walk into a store, show your choice of ID, and get your bottle of Stoli. But what if the cashier can automatically keep a copy of your ID, alter it, and use it in unlimited ways? What if you ran that risk every time you authenticated yourself, everyplace?
In meatspace, we perform all sorts of ancillary authentication besides just looking at the ID.
When I last lived overseas, about ten years ago, I used to send my mom flowers for Mother’s Day. At that time, wiring an order using FTD was just too expensive; I used to phone our hometown florist nearest her house and just order flowers over the phone, giving my credit card number for payment.
And it worked just fine. Why not? The florist heard a pleasant voice with the “right” kind of accent; you could hear pops and hisses on the long-distance connection that corroborated my story of being overseas; and what identity thief would use a stolen credit card to send flowers to someone? All of those subconscious cues led the florist to accept my “identification” without any other kind of authentication.
Authentication depended upon a lot of these nonverbal, usually unacknowledged methods of confirmation and corroboration. You took the trouble to show up in person, you had the right dress or the right uniform, you said the right words, you looked confident and at home, and maybe you even dropped names or provided other information in casual conversation that played the role of a shared secret. (It’s very amusing to watch Penn Jillette’s game show, Identity, to see contestants try to use all these identification and authentication skills in an overt way.) Once we started losing these additional cues, the ID cards we had started being less reliable.
And on the Internet, of course, it’s completely blown away. You hardly have to show up anywhere to be identified, authenticated, and authorized, especially for individual transactions using an account that has already been through the initial registration phase. Nowadays, any bored 14-year-old in Outer Slobovia can present the very limited credentials required for online transactions in Spokane.
Our historical process of authentication has involved many, many more factors than we ever realized. One factor, or two, seems ridiculous by comparison.
So the next generation of Identity has to solve both those problems: how to add a ton of factors back in, at least during the issuance of official ID, and how to keep that ID from being copied every time it’s viewed.
I just want to say to these folks, Good luck! We’re all counting on you.
Posted by shrdlu on Sunday, May 06, 2007
(0) Comments • Permalink •
