Tuesday, February 1, 2011

Say Goodbye to All Those Passwords

The Commerce Dept. is backing a new security system for online identity checks that could be a boon for e-commerce

By James Sterngold

The convenience promised by the Internet often seems to evaporate when you log in every morning. First comes the user name and password needed to boot up your smartphone or computer. Next, a different password to access your e-mail. Want a book at Amazon.com (AMZN)? Another password (what was your first pet's name again?) and often your credit-card information and address. Buying boots at Zappos.com, reserving a plane ticket, or checking your bank balance after all that spending? Get ready with password after password.

The U.S. Commerce Dept. is spearheading a new online security system that experts say will eliminate the password maze and perhaps boost e-commerce. The plan calls for a single sign-in each time a computer or phone is turned on, using a device such as a digital token, a smartcard, or a fingerprint reader. Once logged in, users would have access to any website that has signed up for the program. "You are your password in this system," says John Clippinger, co-director of the Law Lab at Harvard's Berkman Center for Internet & Society and an advocate of the plan. "It will be far more efficient and you'll control it much more." Activities now done offline because of security or privacy concerns—evaluating medical records or refinancing a mortgage—might migrate to the Web following adoption of the new rules, called the National Strategy for Trusted Identities in Cyberspace, or NSTIC.

Passwords don't provide good security because most people choose character combinations that are easily hacked. A universal standard that requires some kind of device or a chip with encrypted data would keep consumer information safer while assuring companies they aren't being scammed, says Don Thibeau, chairman of the Open Identity Exchange, an industry group representing large tech companies such as Verizon (VZ), AT&T (T), Google (GOOG), PayPal (EBAY), and Symantec (SYMC). "NSTIC could go a long way toward advancing one of the fundamental challenges of the Internet today, which is, 'Who do you trust?' " Thibeau says. "This gives us the rules, the policies that we need to really move forward."

A security standard could also cut the size of Internet company help desks, says Bruce McConnell, a counselor for national protection at the Homeland Security Dept. "The highest cost element of help desks is dealing with lost passwords," he says. Another plus: A trusted online ID may encourage doctors to prescribe more drugs electronically, helping to save 3 million sheets of paper a year, McConnell says.

The federal government is developing the standards for the security and verification plan, but it will be voluntary, and companies that use the system will manage it. There will be no central database of user information, Commerce Dept. officials say, removing concerns over privacy. Instead, each company will maintain its own database of customers, and anyone logged in by one company would be considered safe by others using the system.

While companies have not yet said they will join the program, if the system allows them to adapt it easily for their purposes, usage could soar, says Brian Kissel, chairman of Janrain, a social networking consulting firm. "The pull will come from user demand," Kissel says. The government has promised to jump-start the plan by encouraging agencies to use it for everything from taxes and veterans benefits to reserving campsites at national parks. "Innovation is one of the key aspects here," says Ari Schwartz, an Internet policy adviser at Commerce. "There's so much that could be done if we could trust transactions more."

The bottom line: The government is backing a new online security system that could boost e-commerce by requiring a single sign-on for multiple websites.

No comments: