Identity Management

The thought of disintegrating Internet services has led me to imagine an Internet drastically different from the one we have today—one in which the infrastructure of web applications could be decoupled from the applications themselves. The most obvious and most necessary service in need of disintegration is “identity management”. Both Google and Facebook have been providing some degree of identity management, and there has been a movement within IT to provide single-sign-on for business applications. The issue is also related to the issue of password security, which is fresh in the public mind due to the Heartbleed bug.

Right now, the way we manage our identities online is incoherent. We each maintain a series of parallel identities, one for each website or service, with no direct connection between them. I sign into my Dropbox account and I sign into my Gmail account, and there is not an actual link between the accounts. Though I might use the same username on both sites, the two accounts aren’t aware of each other. Though I might set them both to have the same password, if I change the password in one site, the password doesn’t change on the other.

This arrangement might seem perfectly fine, but there are several problems that result. First, it means that you have to create and manage each account individually, either creating and remembering different passwords for each site, or reusing the same password for multiple sites. The latter choice is often chosen, the reusing of passwords, and it creates a security risk that is more significant than people realize. We would be better served by using an identity management service which offers “single sign-on”, which would mean that you authenticate once, perhaps logging on to a single web page or a piece of software, and then you are, automatically and behind-the-scenes, logged on to all of the websites and services that you use.

This sort of arrangement has the potential to help deal with the password management issues, making our lives easier and improving security. However, the current single sign-on services are not standardized or comprehensive. There are multiple services offering different levels of integration, and different methods or integration, usually only dealing with authentication. So while they might help to deal with the password management issues, they don’t help much beyond that.

If instead of using single sign-on services to manage passwords, we were to replace passwords with public-key encryption, we could use the same public-key infrastructure to authenticate for services like email and VPN connections. It would make it possible for someone to uniquely identify themselves, which could make spam email filtering much more effective, and make it much more difficult to commit identity theft. We could use the same private key encryption to verify online purchases, and an application on your phone could be used to provide payment information in lieu of a credit card for in-person purchases. The same app on your phone might provide dual-factor authentication for online interactions.

In an ideal identity management scheme, such an online identification scheme could even be backed by law, allowing people to easily provide an electronic signature for legally binding agreements. One day, a single security token verifying your electronic identity may take the place of a driver’s license, passport, checkbook, and credit card.

Such an “identity management” service would require extremely good security practices and would be placed into the middle of all authenticated electronic transactions, so the natural expansion of this kind of service would be to provide central security control and account management. By maintaining a list of websites that have accounts using your identity, the identity management provider would be in a position to monitor those accounts and deauthorize/delete those accounts if desired, or even manage whether one of your services can access data on one of the other services you use. It would become the bridge and gatekeeper between many of the online services that you use.

Now don’t mistake me—I’m not suggesting every electronic identity should need to be verified to be an actual identity of a real-life person. I believe that the Internet thrives on anonymity, and people must be allowed to establish anonymous online pseudonyms. However, identity management providers allow people to establish an anonymous identity that could be verified against itself without ever having a link to a real-life identity. That’s to say, if I want to post on a public forum as “coolguy17” without enabling anyone to link it to my real name, any identity management scheme needs to allow for that. However, the ideal identity management scheme would allow me to optionally authenticate myself as that same “coolguy17” across all the Internet services that I use.

I can anticipate some objections, but if this kind of “identity management” were to become a standard service on the Internet, at a minimum it would solve many serious security problems that IT departments face every day. Passwords management would become a thing of the past. Web developers wouldn’t need to individually maintain their own authentication schemes. Message signing and encryption could be enabled without additional complexity. If email signatures were to become commonplace, then spam filtering would become much easier.

More than that, it would lay the groundwork for the Internet to be reimagined as a single system instead of an overwhelming collection of disparate systems. Instead of looking at “sites” as independent entities, each one could begin to be treated more as a collection of resources to be utilized within the larger system.