Our Identity Crisis
By Gregp on Dec 21, 2005
"To verify your identity, may I please have the last four digits of your 'Social'." I always know the question is coming, but it still causes me to cringe. Verify my identity by telling you four numbers that are in thousands of databases by now? You've got to be kidding, right? Oh, I know, how about something better: my mother's maiden name, the city I was born in, or the answer to my Secret Question?.
None of these, it turns out (the Secret Question actually being the best) does much of anything to authenticate my identity. Yet, we --- meaning all of us making a living in the network economy --- propagate this state of mutual delusion. And thus we are leaving ourselves wide open to some very bad things happening.
The worst thing, by far, is a loss of trust. If people fear that their privacy is compromised, or worse, that their economic future is going to be destroyed, then at least three unshiny things will happen: growth will slow or reverse, companies will get sued for negligence, and governments will invent some very unpleasant regulations.
We, collectively, are messing this up. And we will get more front page stories like this one from last week's USA Today about how crazed methamphetamine addicts are "stealing identities" to feed their habits.
The tragic part is that we have plenty of technology to combat identity theft. What we don't have is the sense of urgency to come together to do meaningful deployments.
Before getting to what we can and should do, it's useful to get some basic concepts across. First, the problem of "Identity Theft" isn't a problem of stealing something; it's about impersonation. That is, it's an authentication problem. This is an important distinction because it should be possible for someone to know eveything about me, but not impersonate me. Disgorging my personal data is a violation of my privacy, but it shouldn't enable someone else to pretend they are me.
To authenticate who I am is to verify one or more of the following factors: something only I should know (a secret like a passphrase, password or PIN),something only I should possess (a hard-to-forge ID such as a smartcard, or the SIM card buried in my GSM phone), and/or something only true of me physically (the pattern of my retina, my thumbprint, the rhythm of my signature). The more factors one uses, (typically) the higher confidence that you are dealing with the person who is the identity they say they are.
The last four digits of my Social Security Number, or the city in which I was born, or my mother's maiden name, or for that matter the digits on my Visa card, fall into none of the above. None of them can be assumed secret. And it is really stupid for us to pretend that they are.
As a first step, we've got to get passwords under control. There are lots of vulnerabilities, from cracking to phishing. Email addresses are reasonable usernames because the DNS system helps support uniqueness (due to the domain name of the email site; presumably the email provider will prevent name collision). Passwords are a mess because each site with which you have a business relationship maintains and records your password. If you are like most people, you reuse passwords at multiple sites with the obvious vulnerability.
There are some real things we can do here. The Liberty Alliance has over 150 companies, non-profits and governments who have been cooperating for years on open standards for federated identities. What that lets us do is have a core set of trusted providers with whom we authenticate, and they perform the electronic introductions with all of the other companies whose sites we use. The essential aspect being that secret information, such as a passphrase, need only be shared with the few trusted providers that we choose (and so much easier to maintain, of course). It is possible to do this now.
But this is only a first step, I think it is essential that we get to routine multifactor authentication, especially for high-value transactions. Smartcards are great, and so are mobile phones for the same reason --- they are reasonably difficult to clone. The key thing is that smartcard, or the one buried in the phone, can hold an electronic secret that it never has to directly reveal, only prove that it indeed has it.
Here's a simple proposal. Let's have a registration authority like the "Do Not Call" list called "Check That It's Me". I'll register my mobile phone number and a list of trip points such as opening a new account, extending credit, and changing my mailing address. If any of these trip, then the company providing the service (say, issuing a new credit card or mortgage) HAS to get approval from Check-That-Its-Me. That in turn, simply involves a call or text message to my mobile from Check-That-Its-Me, to which I respond. The net-net is that anyone trying to impersonate me to accomplish one of these transactions had better be in physical possession of my phone, too. That's a huge barrier.
Whatever the subsequent steps are, we have to get cracking. Let's all resolve for 2006 to ACT on identity management and federation. Tick Tock.--