[BackChannel] Prediction for 2013: Keep an Eye on Identity
BY Gadi Ben-Yehuda | Friday, December 14 2012
BackChannel an ongoing series of guest posts from practitioners and close observers at the intersection of technology and politics that, taken in aggregate, form a running conversation about the future of campaigns and government.
Gadi Ben-Yehuda is Director of Innovation and Social Media for IBM The Center for the Business of Government.
In 2013, I’ll be keeping my eye on Identity; it’s going to be a big story.
Identity management is so intrinsically uninteresting that in the time it takes to say “identity management,” people may fall asleep—even though they are directly affected by it. And it’s a pretty safe bet to say that, because anyone who uses multiple computers (or a computer, a tablet, and their smartphone), online banking, a cloud-based email account, a credit card site, online retailers like Amazon, and/or a social networking site relies on some kind of identity management system. And right now, those systems are a mess.
The identity management system that most people encounter on most of the sites they visit is a straight-forward login/password page. Some organizations require strong passwords—some so strong they were spoofed in this McSweeney’s article from 2007. The problem is that people are not always so good at remembering strong passwords, so they end up either writing them down or constantly forgetting them. And I wouldn’t be the first person (or the second or the third) to argue that passwords are not enough.
Further, identity isn’t just something that should be getting us into our email accounts. There is so much more that a robust identity management system could streamline. How many times—at a doctor’s or dentist’s office, when registering for a new school, or buying a plane ticket—are we asked for information that is a part of our identity? Where we live, how old we are, primary email address, company name and our role?
Though many browsers now come with AutoFill functions, how many of us feel comfortable sharing our social security numbers, credit card details, or other sensitive information with a browser? And for those of us using multiple computers—one at work, one at home, a tablet, and a smartphone—do we fill out the same information on each system? The promise of persistent computing was that we could work seamlessly across many types of computers, but poor identity management thwarts that goal.
This is where we are: bad identity management can lead to catastrophic damage (think, losing hundreds of thousands of dollars, digital pictures and correspondence, and/or credit rating), while good identity management can reap huge rewards in recovered productivity (because time recovered from filling out forms can be rerouted into getting actual work done!).
The good news is that there are two fronts open in the battle for better identity management. The first is an offensive against the wasted time of filling out information over and over again. Companies like LastPass, Personal, and RoboForm offer applications that users can install on multiple machines and will store login and password information as well as all types of other identifying information—home address, credit card numbers, etc.
Offerings from these companies are helping here and now, and it’s safe to say that more people will be using these services, or ones like them, in 2013 and beyond.
But the more important action has been on a slow burn for at least a decade, has heated up in the last four years, and is going to begin to boil in 2013: the activities of the National Strategy for Trusted Identities in Cyberspace, or "NSTIC," and its constituent organizations to create a standard for identity management across platforms.
When I spoke with Dan Chenok, who has been involved with NSTIC since its inception and serves as the Interim Chair of its Policy Coordinating Committee, he used this metaphor to explain why a standards-based identity management system was the best approach. (Full disclosure: Dan is also the Executive Director of the IBM Center for The Business of Government, where I work.)
Imagine that you go to a market and you’re at the cash register. You can pay with cash, or with any number of credit cards; MasterCard, Visa, Discover, AmEx, or a debit card. You might have half a dozen different kinds of payment options in your wallet, or you could have only one, but it’s up to you. All of these payment methods are based on the same set of standards, and each can add to the basic requirement of paying for your purchase with different incentives at different costs. But the bottom line is, each one can be used to buy a pack of gum or a steak dinner.
The same thing should be true with identity. Whether you’re logging into your online banking or your social network or the DMV for your state, there should be a set of requirements that checks your identity while at the same time preserving your privacy. This is one of the seven requirements that NSTIC set for a standard identity management scheme. In total, those seven requirements are that the standards must be:
- Privacy-enhancing: users relinquish as little privacy as possible when they opt into the system
- Voluntary: users must not be required to opt into the system to manage their identity
- Secure: identity administrators must fortify the system against breaches
- Resilient: in the event of a breach, administrators must be able to recover quickly
- Easy to use: users should not have to have a password like this: J8JΒΝzγΨfΛδ@6%vΤfShr57w/
- Interoperable: the system should work on a tablet, a phone, or a computer running any major operating system and should work for any online tool that requires a login
- Cost-effective: the system must not impose undue financial strain on businesses or consumers that use it
Mr. Chenok is quick to point out, however, that though the benefits of a standards-based identity management system are easy to grasp, there are still three major impediments to its adoption. The first is, ironically, convenience. Most people know how to navigate their current identity schemes, even if it is ungainly; switching would be a chore, at least initially. Second, is culture. Every company and organization has its own way of dealing with identity and most institutions would have to change their methods, at least a little. And riding on that is third, and perhaps strongest barrier: cost. Mr. Chenok estimates that the cost of switching to a new identity management scheme will be significant, though the accrued benefits would likely far outweigh those initial costs.
Ultimately, though, both he and I are bullish that NSTIC will succeed in drafting standards that meet the committee’s requirements and overcome these three barriers. The first to fall will likely be convenience as the current system begins to fail more often—meaning more breaches and greater hassle for users. The second, then, will be culture, as people become more accustomed to new ways to manage their identity. And the last to be surmounted will be cost, as it will become more expensive for companies not to comply than it will for them to adopt a new system.
There may not be an end-state in identity management, even as there is no “end-state” in developing an operating system for computers. We may simply experience upgrades throughout our entire lives. But I believe that we are on the cusp of a significant transformation in how we manage our identity both online and off, and I think that by this time next year, we will see the contours of the next version of identity management, and perhaps will have even begun to implement and benefit from some of the changes.