Thursday, March 04, 2010

Your digital wallet and the Open Identity Exchange (OIX)

The US government has put its weight behind a new framework for certifying online identity management providers, so that they can be trusted to assign individuals digital identities that can be used to access a range of websites and transfer personal information. According to Finextra:
Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton have announced the formation of the Open Identity Exchange (OIX), a non-profit organisation dedicated to building trust in the exchange of online identity credentials across public and private sectors.
[...]
Google, Paypal, and Equifax are the first three identity providers certified by OIX to issue digital identity credentials that will be accepted for privacy-protected registration and login at US government websites. Verizon is currently in the certification process and is expected to be completed shortly.
This sounds like a great step forward, when you could use a single login like your Gmail username and password to login to government websites that previously required separate registration, and then share with the website chosen information from your digital identity, for example your address, social security number, passport number, etc, with a single simple click. If you trust the company that holds your information to keep it secure and not misuse it, then this approach leads to far greater security than you as an individual going to a website and typing the data yet another time into a form, since the transfer of information is completely encrypted and transferred directly from the trusted organization holding it.

Unfortunately, the first use by the National Institutes of Health seems a little lightweight, compared to the eventual goal. The Finextra article goes on to say:
The National Institutes of Health (NIH) is the first government Website accepting these credentials, including OpenID and Information Card logins. Citizens can use open identity technologies to support a number of online services across Websites, including customised library searches, access to training resources, conference registration, and medical research wikis.
Really, they are just using one of the authentication providers to allow you to login, without the usual registration process: fill in your details, wait for the email, click the link to confirm it is you, login to the website. Many people will have seen a similar approach with Facebook Connect, which allows you to log in to a lot of sites you may never have used before. Admittedly, I probably wouldn't eventually trust Facebook with my social security number and credit card details, but that is where things are heading if you look at the amount of other information they have about people.

The power starts to show itself when we may eventually get access to more security concious government systems such as IRS tax payment, without having to register, wait for the letter to arrive in snail-mail, follow the instructions for completing registration. A pre-confirmed digital identity means that the IRS could already trust that I live where I say I live, and would not need to deliver me validation details by the US Postal Service to confirm it. I could use the system pretty much immediately after logging in.

What is worth extra investigation is how much thought from current financial services regulation, such as the supervisory controls from the SEC and NASD around validating a change of address, have been incorporated into the OIX framework. It is the controls such as these that will limit the ability for someone inside a trusted identity provider from changing your details temporarily without your knowledge, performing some dubious action elsewhere, then changing your details back to their original values, so you never know the difference. If that type of control is built into the framework, and the certification of vendors is transparent, why should I not trust these companies. Google knows more about me than I know about me anyway!

A post from the Improving It blog

Let us help you improve your business today. Visit www.consected.com

No comments: