The U.S. Commerce Department is pushing a “National Strategy for Trusted Identities in Cyberspace” plan, wherein passwords would give way to a single login on phones and computers. These logins would rely on biometric card technology, or something similar. This sounds a lot like Apple’s NFC plans. Here’s why Apple’s idea is better.
The online password, we know, is a broken system. Gawker’s database hack alone demonstrates how weak a security system it is, along with countless pieces of research (although, of course, not everyone is as juicy a target as Gawker). And when you add in the hassle factor of remembering a string of passwords to tap in to every site as we increasingly live our lives online, the password system sure becomes a giant pain in the you know where. (Hence the rise of Facebook’s universal login–although that still relies on a password.) Some system that replaces all of this mess would be most welcome.
Enter the U.S. Commerce Department’s National Strategy for Trusted Identities in Cyberspace (NSTIC), which has been around in draft form for a while but is now getting serious government backing. As BusinessWeek notes in its piece about the idea, it’s a “new online security system that experts say will eliminate the password maze and perhaps boost e-commerce.” The article even quotes John Clippinger, co-director of Harvard’s Law Lab at the Berkman Center for Internet and Society and an “advocate” of the plan as saying it’ll “be far more efficient and you’ll control it a lot more.”
The trick behind the NSTIC is that there will be some form of universal login system that replaces the password every time you flick on a PC or power-up your smartphone. It would be unique to you, and it would establish your identity in a secure, encrypted way that could be shared with online services–meaning you’d never need to remember another online password. The idea is that some kind of physical token, like an RFID card, would be waved over a sensor, possibly combined with direct biometric markers like a fingerprint.
It would make logins much easier, says the Dept. of Commerce, it could push online more services that are don’t yet trust the Net (like medical records), and it could revolutionize online trading because it’d enable vendors to believe in the identity of their customers, while lessening the chances of fraud. One could even imagine an eventual reduction in the size of company help desks, as one of their biggest burdens is “dealing with lost passwords,” according to Homeland Security spokesman Bruce McConnell.
The government has promised to get things off to a running start by pushing agencies to adopt NSTIC for taxes, veterans benefits, and so on.
But all of this activity might be too late–and not good enough. Apple, along with a number of other companies, has long been exploring this kind of system, and Apple, seemingly above all others, has aggressively patented ideas in the field of NFC RFID tech. (That’s Near Field Communication and Radio Frequency Identification, for those keeping score at home.) The ideas include logins at computers, ATMs, and so on–and they could revolutionize payment systems in stores in ways we can only barely imagine. If Apple does put NFC into its next-gen iPhone and iPod Touch (leveraging its global database of millions of iTunes subscriber credit cards), it could possibly encourage a paradigm shift in payment tech, in the same way it’s transformed digital music and smartphones. An army of clone companies would follow.
This army, led by Apple, would innovate the no-password login, e-commerce, and online security systems in ways a government-regulated NSTIC likely never could.
Plus–there’s the personal privacy angle to think about. It’s a small political step (likely achieved as a sequence of baby steps, so you don’t notice the overall trend) from creating the NSTIC to mandating it for certain uses. How about a legally tightly defined way of identifying an online individual as a tool for suppressing piracy, say, or pornography or anonymous political dissent? You’d trust Apple with your online identity, because as a public company it has to answer to market pressures, and its database is private. Similarly, you fill Facebook with personal data along with about one tenth of the planet’s people–but would you happily tap such info into the FBI’s computers?
To read more news on this, and similar stuff, keep up with my updates by following me, Kit Eaton, on Twitter.