Ars Technica has a great article this morning entitled 30 years of failure: the username/password combination.
One of the things that they didn’t discuss is why we continue to use passwords for authentication even though they’re known to be a serious weakness. The first reason is that, as long as we don’t include the cost of a security breach, passwords are free. The second is that while better authentication technologies exist, nobody seems interested in allowing a single credential to be used across multiple systems on the Internet. I should be able to carry one authentication device and use it everywhere, but instead when we go that route we end up with a key-ring full of devices.
Perhaps it’s time for the open source community to step up to the plate?
Evolving Squid
Open Source offered PGP, but it never caught on as part of the whole “PKI never caught on” thing.
There are problems with a universal authentication system as well…
1. it creates a great risk for identity theft. If the authentication system is compromised, the ramifications are widespread. Throw in a bit of media misinformation and presto! you have a popular groundswell against it. That’s essentially why we don’t have things like cash cards here in Canada even though they’ve been widely used in Europe for over a decade.
2. It creates issues, I think, with privacy legislation in places like Canada. Who is going to validate your identity for issuing your ID token? Who is going to keep track of who’s who? What will that information be used for? What if it’s wrong? Who can subpoena the information and for what purpose? You should watch the movie “Gattaca” to see what I mean here. http://www.imdb.com/title/tt0119177/
3. there’d be a huge PR issue among religious yobbos (a universal ID = the mark of the beast… there are people fighting that battle over things like driver’s licences right now), people who equate universal ID with the Nazi holocaust, weird paranoids who want to be totally anonymous but still live and interact on the planet and so forth (however silly that position may be).
4. A universal ID means loss of competitive advantage in some areas… i.e. “we can’t lock you in to buying our stuff.” Open standards have not been a real cornucopia to the IT world.
I’m not sure we’re at a point, culturally, where a universal ID for the internet (or anywhere else) is likely to be acceptable.