Internet users are burdened by the need to select and remember user identities and passwords that are unique to each website worth visiting. Websites that receive your sensitive personal information are worth protecting with unique accounts or user IDs and strong passwords that will thwart thieves and hackers. Memorizing a long list of those user IDs and passwords can be difficult and error prone, but thieves expend hard work and technical ingenuity to gain access to whatever we don’t properly protect.
To address that challenge, password management services, finger-print scanners, and iris recognition are being used as substitutes to brute force memory of lengthy jumbles of letters, digits and special characters. In the charge card realm, a European advance called chip and pin was chosen by Target to secure its customers’ accounts and begin the long process of rebuilding its reputation for privacy trustworthiness.
For a chip and pin card, a three part security transaction takes place. The card account is in plain view and is transmitted; the pin is typed furtively on the card swipe keyboard and is transmitted; and a microchip embedded in the card “generates a different, single-use code to process every transaction you make.“ The microchip transmission adds great security as an authenticator because it cannot be faked with technology available to the thieves. Unfortunately it will take some time for all retailers accepting charge/credit and debit cards to install devices that process pin and chip cards properly, and banks have been overly slow to consider adoption this superior technology.
The federal government is well aware of the identity and password problems we face. Indeed, when we transact business with federal departments and agencies, each expects that we offer a user ID that it sanctions and provide a password aligned with that user ID.
In a federal project called the National Strategy for Trusted Identities in Cyberspace (NSTIC), the government is collaborating with the private sector to devise a universal ID that can be used across private sector and federal websites. NIST and the Department of Commerce are eager to remind us that the ID would be used voluntarily. They are working on software, network, and device authentication standards necessary to provide a dramatic uptick in the Internet security experienced by universal ID users. An early trial is underway for those receiving federal benefits.
The project goes far beyond a PR campaign on selecting hard to guess user IDs and passwords. With a universal ID, passwords bear an oversized responsibility for maintaining security. The NSTIC project blithely dismisses that concern saying, “a variety of credentials that could be used in lieu of passwords to enable more secure, convenient and privacy-enhancing transactions every place they go online.”
Perhaps NSTIC relies heavily on authentication at the device-level to add security strength as did the chip in pin and chip cards.
The federal government has a strong interest in providing consumer conveniences such as a single ID, but government has a far more serious interest in thwarting commercial attacks such as Heartbleed and military attacks such as Ouroboros. The NSTIC descriptions do not mention how those in-dwelling infections may be thwarted by a universal Internet ID. Nor does NSTIC dispel the thought that a universal ID would make life too easy for the NSA.
Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research