John Pescatore

Who are you? 
Who, who, who, who? 
Who are you? 
Who, who, who, who? 
Who are you? 
Who, who, who, who? 
Who are you? 
Who, who, who, who?

(refrain from “Who Are You?” by The Who)

Almost 16 years ago “The New Yorker” published the now iconic “On The Internet, No One Knows You’re a Dog” cartoon, which fueled security presentations for years and years. The only cartoon I can remember that had as much technology impact was the Doonesbury Apple Newton twerk that I referenced previously. 

After that cartoon came out in 1993, every April or so there would be new announcements of Internet-wide identity/authentication technologies or standards. In the early days, these were called “digital wallets” and I think April was the magic month to have a lead time before the Christmas buying season. Or maybe it was just always an April Fool’s joke – none of them ever went anywhere, mainly because there was no real user pull. The pushers of digital wallets always claimed password fatigue was a big pull, but since most people just use same password everywhere, to users the potential gain never exceeds the potential pain. The pull is always the sellers of stuff trying to reduce their costs – users see risk of having all their identity eggs in one basket, and a basket that someone else will hold for them.

In 1999 Microsoft announced its stab at this, Passport, which hit all the usual lack of pull plus other problems based on Microsoft’s design and implementation.  In 2000 or so, the Liberty Alliance jumped in with a competing version, hit the same headwinds and made limited progress. In 2002 I chaired an opening panel at the RSA conference on converge of those two – pretty much went nowhere. By 2005 focus morphed to Identity 2.0 and OpenID, thoughtful approaches to the same problem that hit the same lack of user pull. In 2007, Gartner analysts Gregg Kriezman and Ray Wagner wrote in “Identity 2.0: Tomorrow’s Promise and Today’s Reality“:

Enterprises that require consumers to register and sign on with user IDs and passwords, would not be adversely affected by successful phishing attacks against their users and require little or no identityassurance can use OpenID to reduce registration time and provide users with reduced sign-ons.

Pretty much about the same as back in 1999, really.

In 2006, ANSI established the Identity Theft Prevention and Identity Management Standards Panel to promote stanards around online authentication and ways to prevent identity theft. In 2008, they put out an inventory of all the various standards and issues around issuing, exchanging and maintaining identity information. Pretty much the same old issues remain.

I think this is destined to continue for a long, long time – maybe forever. Mainly because in the physical world we have always had anonymous commerce – we call it cash. And in the physical world, we have always had fraud with every form of commerce, especially those (like checks and credit cards) that substitute for cash. Yet, in the real world we never tried to tattoo a single identity onto everyone’s forehead. While there are some loose traditions for identity verification in the physical world (driver’s license, credit card) even those are ignored most of the time in the interest of maintaining ease of transactions. The level of fraud is kept within the acceptable range without impacting commerce – loss of business that is greater than fraud prevented is bad business. And business is business – online or in the real world.

Submit a Comment »

Category: Uncategorized     Tags:

Share