The federal government is contemplating a move towards an online identity plan based on the National Strategy for Trusted Identities in Cyberspace (NSTIC). You can read the entire Ars Technica article to see just how the plan might work.
The basis for such a plan points to endless logins and passwords for seemingly endless amounts of online destinations. Although it can be a daunting task if managed properly, there seems to be little difference in the NSTIC. In fact, it looks eerily similar to social security numbers (SSN). One large difference between the proposed Online Credentials and SSN is that users can choose to have one or more credentials.
Without delving into specific goals of the NTSIC or what is hoped to be achieved, I do have some opinions on the matter.
It’s easy to see the good in a plan like this. No more endless logins and passwords. Users can have a few Online Credentials which allow them to access their bank info, email, Facebook, etc. without creating new login information. Additionally, the Online Credential used for banking could also be used for Facebook or other online sites and would presumably be just as safe. Another great benefit is users will need to remember just one credential to login to any participating online destination. If the online merchant, bank or other destination accepts Online Credentials then they accept any credential a user has created.
The most influential benefit could be the promise of reduced identity theft. While I agree it makes for a great sound bite. We’d like to see some real world evidence to substantiate that claim before passing judgment.
Let’s face it, do we really need the government overseeing this type of thing? While the private sector is likely to be taking the lead on this project, it’s hard to believe their won’t be problems with privacy and secondary motives. Part of the problem with passwords now is that users use the same one or even the same few for everything. When clients come to us in search of security or password solutions, they know they are making mistakes by recycling their passwords but find it difficult to remember multiple logins. Credentials, for now, appear to be much of the same. I have to wonder what happens when credentials get stolen, compromised or otherwise by someone other than the credential holder.
Lastly, the strategy would seem to be pointing towards voluntary participation. While that is good to hear, I find it hard to believe that banks, merchants and other online destinations who choose to participate in the online credential program will offer multiple ways of accessing their sites. Meaning, users will ultimately be forced into participation in order to enjoy the same benefits they already have, such as online banking and shopping. It then makes perfect sense that if the Online Credential program takes off, there is sure to be a mandatory enrollment for users at some distant point in the future, a la SSN.
While this is one opinion, I think it’s important to raise questions to facilitate answers. We’d like to know what you think about Online Credentials and whether they can be of benefit or not. Leave us your opinions in the comments section.