Unique Internet Identity Crisis!
If you are active on the internet (and who isn’t these days?), you would relate to my problem.
I have a Facebook id, a Twitter id, a Flickr profile, a YouTube channel, a Gmail address, a Hotmail address (yes, I still use one), a Goodreads account, a Dropbox account, a Blogspot id, two Wordpress blogs, one Oracle forum id, one Java developer platform id, three Online banking ids, two Share trading consoles..You got the picture, right?
Juggling so many IDs and their passwords is a real pain in the neck. It’s like carrying a whole bunch of keys for all the locks you have, and often missing one or two. And to top that, every time they launch a new website or a service, I end up creating another ID, adding to my woes.
Every time I rush to create an ID that I would like to use, it is either taken or they need a special character or they don’t need it. So I have permutations and combinations of abhinandan, 1983 and underscores and dots as my ID.
The same goes with passwords, some need a special character, some would allow only alphabets, some would need atleast 12 characters, some not more than 8.
Most of the time, I end up entering either the wrong ID or the password. The real nightmare is when they force me to change the password after a certain period of time.
This is what I call the ‘Unique Internet Identity Crisis’.
What we need is one ID and password for all the portals that we need to access. But, is it feasible? What are the challenges? Let’s look at the questions.
Q. If we have one username and password for all the portals, would it not jeopardize my online identity if I lose it?
A. How about losing the banking password of your bank account? The threat is real, but it is equivalent. Since we are talking about the absolute unique ID/password combination here, we are talking about high level of encryption and security measure.
Q. Like what?
A. Apart from the regular username/password that you key in, an RSA token can be used which has a running algorithm that changes the number on the device every minute. That ways, even if somebody hacks the stream that has your identity, they would not have the RSA dynamic key to it. For those who have not used the device, the concept is similar to the ICICI bank matrix card; the numbers are totally random and change dynamically.
Q. Why would two competing sites allow me the same login? Also, would they not get access to my data thus?
A. The Unique Internet ID shall not sit on any repository of the service provider at all. It shall be in a central repository under a regulatory body. When you open up a site and enter credentials, you shall be redirected to the repository, which will authenticate and send the token back to the service provider. Your service provider related details shall thus be safe with the service provider and your credentials shall be safe with the central authority.
Q. Is it similar to the Facebook login many sites are using these days?
A. Yes and No. The behaviour would be similar. Don’t you find that convenient? What would keep it apart is that the central repository would not share data with the service provider. This is to insure that no injection on extraction is attempted by a service provider. When you use the Facebook plugin, your information flows to the website and vice versa.
Q. Hmm. But who could be the central repository?
A. The World Wide Web Consortium (W3C) is a suitable candidate. It only makes more sense, if they control how the web should behave and take up the responsibility of handling such a crisis. It would not be possible to implement it without the support of the corporates for the research and POCs. Also, the RSA tokens and services mean additional costs. I don’t think any end user would mind paying a one-time fees of 25$ for complete peace of mind.
Q. What if there is hack attack on the central repository itself?
A. What if they put a gun on your head and ask you to withdraw cash? Well, I do not have all the answers now. And indeed it is a possibility. But do you really think that it is that easy to hack a secure port, especially, when someone designs it up for resistance to attacks. These are the questions to which IT industry needs to come up with answers. I am sure, we will have them. For example, keeping the central servers in isolated non-related clusters, each with a part of the entire data so that the attack does not permeate the entire data at once is one of the options.
Q. You may still not get your abhinandan1983 id.
A. I actually would not care if it is ZXERY78542N as long as that is the only one I need to use across the websites. It is like the license number of a car. It may read odd to you, but to me, it’s my car.
Q. Any other benefits?
A. One single call to the central repository and you can prevent access to all your accounts centrally. For regulators, it would be easy to check usage patterns. Also, interesting analytics would come up. For business users and websites, it means lesser fake IDs and more serious potential customers. Win-Win?
The crisis is bigger than it seems now. But soon, we would start searching for a solution. The need is for a preemptive action, a proactive step. That is what separates the industry leaders from the followers.
Your thoughts are very good. Need to debate on pros and cons of it and may be in future this will be a possibility.SSO functionality is currently being used by homogeneous (within same company) applications and if its possible to do it hetro it will be a revolution.
Proposition looks to be a possible business model…
Interesting Article.
Interesting article, indeed.
How about this…
Using a same key for your car, your garage, your shop, your front door, your bedroom, your SAFE etc etc….though it is convenient but what about feasibility? Same goes with different type of websites and portals.
yes, its a very good Idea, but Can it be also implemented for your ICICI Bank , ICICI Direct and Citibank and n no of secured accounts as well and also for some of the PDF’s which are password protected?
Excellent topic which addresses some problem which everyone of us face for sure.
Not sure whether W3C will be up for being the central authority. What can be more feasible practically is that Domain Name registrars be the POC for users (public) for registering and maintaining the user IDs. The workflow can be based on the current workflow for registering a domain name.
Coming back to the problem, a unique identity is much needed in today’s world, where we are operating on multiple websites for our day to day needs. The problem you highlighted with the passwords is frankly most irritating to me. At least for starters, some international body can enforce password policy which enforces a fixed number of characters for each and every site. I can’t think of any valid reason which the sites might come up with, against such a policy. At least, that ways, we will be able to remember and use the same password across the sites.
@Shalabh The idea of taking it forward it as a possible business model is great. Shall appreciate if you point us to what are your thoughts on it and what all would be needed to mature it as a model
@Ankur The suggestion that you made about registering userid in a way similar to domain name is simply great. The only point I would like to add is that my userid should NOT expire as a domain does.
Also, the point that at least the standardization of the password field should be put in place has some serious weight.
@Farhan What if you have different keys to your car, home and safe on the same keychain and you lose that keychain?
I understand that the threat of losing the same common password is high, but then again if someone can break an algorithm that uses a static password that you type in and a dynamic password generated from the RSA key can very well break down all your individual accounts as well.
Thought? Counterpoint?
@Divya We sure can extend the concept to including your netbanking password. The password protected files is a different ballgame altogether. It would fall under DRM.
this indeed is the major concern for every net ‘active’ person today. the number of new startups are equally good and are increasing by the second. i also think that the idea of having a common repository is the ONLY solution to this problem, but i srsly doubt the fact whether the existing brands like facebook, google , twitter etc ( yes i have categorised them as brands cuz they are much more than a mere website ! ) will agree to use something like that cuz they have invested a major part of their capital ( both monetary and human ) in getting this thing right and hence it is too much to ask of them ! in other words what will they do with their present resources dedicated to this domain ?
The idea of central repository and using the RSA tokens has much to talk about. As always, you are driving a intense discussion. Looking at it – What if W3C doesn’t come up to take the task of being a central repository? Though i am in all favour to put this in place.
If a user is ready to carry the token while stepping out, why not use the softwares available in the market(like Password safe, kee-pass, etc) which allows you to safely and easily create a secured and encrypted user name/password list . And yes you can always use your cell phone to store the package, it is as small as a normal polyphonic ringtone.
Check this one- Namechk. Searching Username availability across Websites before actually creating it. It can query dozens of sites at one go and show you the results. I understand the headache of P&C’s but is better doing it right there than for each website. There is a need to customize this to include all the websites may be the bank portals as well, all you need to do is to leave a suggestion on their official page and they will consider based on the number of votes. I suggest try this one but remember “We shall have no better conditions in the future if we are satisfied with all those which we have at present”.
ONE PERSON ONE PASSWORD – This looks like a unique Business model! Sounds too good to be true!
But, why would all service providers on Internet shall subscribe to one Central depository sytem for Authentication purpose?
hi abhi,
really its a gud idea..i am nt gud at internet and security stuff but i have something to ask..
1. if we have centrally controlled thing for any website we log-in….then it may have factors like heavy traffic which may slow down the process..for example just like accessing results on univ website when they are published we hardly find its opening..
2. and secondly if we talk about the disadvantages of this if u have separate access id to ur gmail, fb, yahoo then if any of ur acc gets hacked then other acc are still safe..but what if the central hub gets hacked?? all ur accounts are hacked in a single shot..
i dont know how gud are my doubts but i just put them forward..
besides this ur idea is really gud….good initiative… !!
Appreciate the topic and the idea, but I think there are more cons than what we have thought about. Like the ones the previous “comment”er has said!
Very good thoughts Abhi this is a real demand of nowadays. People are accepting it and already started working on this matter. For example now you can access your Yahoo account with your Facebook and Gmail credentials. Similar using one credentials you can access all your Google product.
This subject area open a new market and business called third party authentication. I also agree there are some pros and cons but future look bright for this business.