The future of logging in

By George Marangos-Gilks on May 28th, 2012

The underlying structure and logic of internet logins is disorganised, inefficient and confused. Users juggle a plethora of accounts which causes data overload and pushes most of us toward using the same user name and password combination. Duplicating core details creates a security problem and the ‘same same’ method doesn’t fit all sites: some require email addresses whereas others want user names, which may already be taken.

People are further infuriated when uppercase, numeric and minimum length requirements don’t fit their standard password. In the end, and despite our best attempts, we amass a catalogue of different logins that are anything but straightforward.

As an increasingly important area of our lives “logging in” is in need of reform. We need simple, quick and safe ways to connect and share information. Utopia would be a secure online passport that allowed users to log in to any third-party website at the click of a mouse. While many have chased this dream, only Facebook Connect is partially succeeding.

OpenID took the first stab, but has since been described as the most successful user authentication system failure on the internet. Successful, because they actually created a technology with the potential to unify every other login on the internet under a single umbrella. A failure, because their URL-based login system was too technologically complex for most consumers to grasp.

The hope was that existing account holders with internet giants such as Google or Yahoo! would upgrade their pre-existing accounts to a singular OpenID. Ironically for OpenID’s founders, the attraction of an industry standard is only ever attractive when it is already an industry standard. Instead of creating a new system for signing into web sites, Open ID represented yet another player in an already crowded market.

All that changed with Facebook, whose Connect button is rapidly becoming part of the fabric of the web by virtue of Facebook’s enormous user base. Which new tech start-up can resist the convenience of drawing in data from over 900 million customers from a produce they already use daily?

Of course, Google and Amazon will always maintain their own authentication systems, and corporations will always be reluctant to peg their own credibility to a network dogged by privacy scandals. Steve Kirsch, a serial Valley entrepreneur, realises an opportunity still exists. He hopes his new venture, OneID, which recently raised $7 million in a round led by Khosla Ventures, can fill the void.

Kirsch says he is putting security at the heart of a radically new identity verification system that does away almost entirely with passwords. He calls passwords vulnerable “shared secrets”, arguing that the whole logic system of pass phrases needs a rethink. He says the whole password model is rotten: they’re simple to crack, company databases can be hacked and phishing and malware breaches continue apace despite industry efforts to educate users about the importance of strong passwords.

His solution is public-key cryptography, an advanced technology that enables secure transactions on PayPal and Amazon. OneID’s innovation lies in its use of multiple devices for “person validation”.

Here’s how it works: Jeff uses OneID to connect to a third-party website from his laptop. A verification notification is then sent to a second device: for example, Jeff’s mobile phone. Jeff enters a PIN on his phone, confirming to the third-party website that Jeff is who he says he is.

Because Jeff’s OneID account can only be accessed from physical devices that Jeff has approved, his online identity cannot be guessed, phished, key-logged or spoofed. Furthermore, websites that have integrated OneID never know your passwords: they only ever store verification codes, which are useless to hackers.

An obvious concern for OneID is that multiple device verification is a slow process. Consumers want it fast and easy. But, says Kirsch, the benefits outweigh the mild inconvenience. OneID is a catch-all product with authentication, payment and security advantages. Two-click sign-in can streamline website connections for every Internet user. Companies could see user numbers and shopping cart conversions rise (remember, only 50% of shopping baskets get through check-out). Costs for IT support systems (lost passwords and in-house development) could fall, as might those associated with fraud.

But has Kirsch created a universal power socket, a product that works in theory but will never be widely adopted? Competition in the identity and login sector is heating up and the future might be too hot for OpenID to ever get traction. Facebook Connect has huge traction in the social authentication field while PayPal Access offers an option for third-party websites wanting to integrate convenient, quick and secure payment. As the internet big dogs continue to expand their services, consumers will likely converge around a small number of core online identities for different purposes.

The emergence of an information oligopoly that controls our interactions with third party websites could be cause for concern. After all, big firms are themselves vulnerable to attack: last year, a malicious group of hackers obtained the credit card details of 70 million PlayStation Network users.

Beyond the obvious likelihood of large-scale database breaches, concentrating power in private hands is no safer than gifting personal details to governments. Facebook Connect, for example, hands over a whole range of information to third-party websites that users often do not realise they are sharing.

Of course, it is ultimately against the interests of private sector data providers to betray the trust on which their customer bases are built. The good news here is that governments are taking proactive steps to regulate in the public interest. In the US, President Obama’s administration has created The National Strategy for Trusted Identities in Cyberspace (NSTIC).

The Strategy calls for “the development of interoperable technology standards and policies – an ‘Identity Ecosystem’ – where individuals, organizations, and underlying infrastructure – such as routers and servers – can be authoritatively authenticated.”

NSTIC requires companies to sign up to Fair Information Practice Principles (FIPPs) to ensure that data is used in a responsible manner. The framework holds that users should be informed about how their data is used. It also provides for checks and balances to hold service providers “accountable for following a standard set of best practices”.

NSTIC will be lead by the private sector to create “standards and policies” that aspire to “dramatically reduce identity theft online”. The need to firmly establish online identity is only intended for sensitive transactions. It remains to be seen if such advances are compatible with the anonymous browsing that has been responsible for so much of the vibrancy of internet culture. The more “secure” the web becomes, the less easy it will be to glide through unnoticed, undocumented and untracked.

While NSTIC touches fleetingly on the importance of anonymity it will find it very difficult to curtail or cut back the web’s most pervasive snoopers. Google knows pretty much everything about us and Facebook makes a note of every site you visit, even when you’re not signed in to Facebook. Many large web companies’ business models depends on tracking; governments will struggle to push back against such powerful economic and technological forces.

Our online identities will undoubtedly become more “secure”, after a fashion, in the future, but this may leave us vulnerable to new kinds of exploitation at the hands of large corporations. As consumers get better educated, the age of the petty internet fraudster – Nigerian 419 scammers and link farms – may be coming to a close. But the risk to personal privacy and security is now being posed by much more powerful, institutional forces.

A balance needs to be struck between targeted advertising, which might be permissible under certain circumstances and without which many of our favourite websites could not support themselves, and wholesale abuse of our private data, which must remain illegal and must be policed by legislatures who actually understand how the internet works.

Any future persistent identity login framework will need to navigate these boundaries very delicately. At present, it can feel as though the decisions about who logs us in to the websites we visit are being made for us. Perhaps it’s time for consumers to take a closer look at who is representing their identities as they surf the web for the latest funny videos and cheap flatscreen televisions.