The US government has put its weight behind a new framework for certifying online identity management providers, so that they can be
trusted to assign individuals digital identities that can be used to access a range of websites and transfer personal information. According to Finextra:
Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton have announced the formation of the Open Identity Exchange (OIX), a non-profit organisation dedicated to building trust in the exchange of online identity credentials across public and
Google, Paypal, and Equifax are the first three identity providers certified by OIX to issue digital identity credentials that will be accepted for privacy-protected registration and login at US government websites. Verizon is currently in the certification
process and is expected to be completed shortly.
This sounds like a great step forward, when you could use a single login like your Gmail username and password to login to government websites that previously required separate registration, and then share with the website chosen information from your digital
identity, for example your address, social security number, passport number, etc, with a single simple click. If you trust the company that holds your information to keep it secure and not misuse it, then this approach leads to far greater security than you
as an individual going to a website and typing the data yet another time into a form, since the transfer of information is completely encrypted and transferred directly from the trusted organization holding it.
Unfortunately, the first use by the National Institutes of Health seems a little lightweight, compared to the eventual goal. The Finextra article goes on to say:
The National Institutes of Health (NIH) is the first government Website accepting these credentials, including OpenID and Information Card logins. Citizens can use open identity technologies to support a number of online services across Websites, including
customised library searches, access to training resources, conference registration, and medical research wikis.
Really, they are just using one of the authentication providers to allow you to login, without the usual registration process: fill in your details, wait for the email, click the link to confirm it is you, login to the website. Many people will have seen
a similar approach with Facebook Connect, which allows you to log in to a lot of sites you may never have used before. Admittedly, I probably wouldn't eventually trust Facebook with my social security number and credit card details, but that is where things
are heading if you look at the amount of other information they have about people.
The power starts to show itself when we may eventually get access to more security concious commercial systems, such as a new online bank account and government systems such as IRS tax payment, without having to register, wait for the letter to arrive in
snail-mail, follow the instructions for completing registration. A pre-confirmed digital identity means that the bank or tax authority could already trust that I live where I say I live, and would not need to deliver me validation details by the regular mail
to confirm it. I could use the system pretty much immediately after logging in. For banking, I'm sure that EquiFax sees this as an opportunity to share a lot more risk information about you as well, creating the opportunity to allow virtually instant opening
of new accounts with finacial institutions that individuals have never had contact with before.
What is worth extra investigation is how much thought from current financial services regulation, such as the supervisory controls from the SEC and NASD around validating a change of address, have been incorporated into the OIX framework. It is the controls
such as these that will limit the ability for someone inside a trusted identity provider from changing your details temporarily without your knowledge, performing some dubious action elsewhere, then changing your details back to their original values, so you
never know the difference. If that type of control is built into the framework, and the certification of vendors is transparent, why should I not trust these companies. Google knows more about me than I know about me anyway!