The federal government’s idea for simplifyingour online lives, especially with respect to e-commerce, is gettingsome traction in the popular online press (see link below). Theattraction of a national single sign on scheme, operated by atrusted third party, is an intuitively compelling notion. I mean,isn’t it obvious? Just move the welter of passwords that plague ustoday to a service that trusts me and vouches for me to the onlinesites I visit. What could be more logical?
Unfortunately, that’s about as far as it goes. Beneath the firstlayer of simplicity lies a morass of complication and not justtechnical details. Contractual and liability concerns abound.Building online trust is hard. While the simplest use case ofanonymous access to a site or even subscriber access to a news siteseems simple enough (and it isn’t), e-commerce transactions requirea far higher level of surety and security.
Identity ecosystem proponents argue that consumer demand will drivemerchants to accept this new form of identity verification.Consumer convenience, as it so often does, is predicted tooverwhelm the reticence of merchants and other entities concernedwith online security. That’s a big assumption because these schemeshave to convince a very experienced and highly skeptical audience -the fraud and risk managers of online retailers who are, in fact, amajor target beneficiary of the NSTIC or any other federatedidentity plan. Based on Mercator’s research in collaboration withthe Merchant Risk Council, that will be a tall order (see ourreport Trekking to Find the Holy Grail: E-Commerce Identity andAuthentication).
Even the track record of simplifying assumptions in authenticationis not encouraging. OpenID, a single sign on scheme, has nottranslated into wide adoption. Indeed, for the site operator,OpenID implementation has proven difficult. Recently, 37signals (arespected Web 2.0 SaaS developer) announced it is phasing outOpenID support in favor of a proprietary scheme serving its ownonline properties. When the web cognoscenti turns up its nose at atechnology, that is not a good sign.
Given its ubiquity, some are saying Facebook will become the singlesign-on provider. Based on its track record with privacy controls,that should give everyone pause. Scares me to death.
This blog post is not a defense of the weak user ID and passwordschemes employed today. There are better ways. At Mercator, we areexamining online and mobile authentication schemes. An upcomingreport will look at the potential for smartphone-basedauthentication methods. For higher value use cases, that seems tobe a particularly compelling route.
To read the Mercator and Merchant Risk Council report onthe NSTIC and Identity Ecosystem notion, here’s the link:http://www.mercatoradvisorygroup.com/images/MRC%20WHITEPAPER.pdf