A post relating to this item from Finextra:
27 April 2012 | 2703 views | 0
According to a recent MasterCard (NYSE: MA) survey, U.S. consumers identified "entering payment, billing and shipping information" as one of the main pain points of the online shopping experience, top...
I too would prefer to have a single common method of identifying myself online: a single common avatar that I use across all sites, with a single common (complex and strong) method of authenticating myself.
But as the editor of a UK technology magazine has just discovered (@bazzacollins), illicit access through that common identifier can have widespread consequences.
He was trialling Hotmail for two weeks rather than GMail. Unfortunately, his account got broken in to and spam mail started flooding out. OK, embarrassing but nothing more than that, surely?
Well, Microsoft use a single sign on system (a form of
federated identity) across more and more of their products (your Windows Live ID). So gaining access to Hotmail potentially opened up everything else. With Windows now requiring you to sign in using your Live ID, everything on your PC could potentially
be at risk.
We see this federated identify principle spreading across the web - how many sites can you now sign in to using your Facebook ID, your Google ID, your Twitter handle and more?
If a bank or payment service wanted to allow you to use a federated ID, which would they pick, which would they trust, and as importantly, which would you trust? Are federated identity services secure enough yet for controlling access to your banking relationships?
What else can be done for you to prove that it is really you?
Unfortunately there is a balance to be made between security and usability. As we go more and more mobile, how many of us want to be carrying around multiple methods of identification (from printed code grids, to one-time passcode tokens)? We could start
using other methods of supplementing authentication - for example using our physical location to enhance a cardholder present transaction, but what other options are there?
I'm not sure we're set for a true common identity yet, ideal as it may be. Then there's the issue of who looks after all that data, and who can get access to it - and that could be an entire post in itself.