Say all the websites across the internet got together and decided it was crazy to have to require people to sign up over and over again every time they go to a new site. Businesses lost potential revenue when the visitor discovered they had to sign up before they could do anything. Having all those different passwords sometimes encourages users to pick less secure passwords so they have an easier time remembering them. Whatever the reason, the sites decided to put forth the idea of a Universal ID.
The UID would be a singular account you own, hosted at a central location, overseen by a noncommercial third party. With the UID, you would no longer need to sign up at websites. Rather, you just go to one, choose to “subscribe” to it by clicking a button, and boom. You’re now a member of that site. And if you so choose, you can reveal to them whatever information (address, billing info, preferences, etc…) the site needs, as well as skip past certain annoying steps (captchas, verification emails, etc…).
One ID for everything everywhere. No muss, no fuss.
The downside to this is that any site you subscribe to is logged in your account history. It’s highly private and your subscriptions can be held anonymously, but there’s still a record out there – somewhere – with your history on it.
So. Would you give up a little privacy for a lot of convenience?
I agree with Adree. In fact, I agree so strongly, I’ll volunteer to be the trusted third party who oversees the information. Send your logins, passwords, and credit card details to [email protected].
Universal ID isn’t a bad idea, but the implementation is going to need some strong protection built in and backed by the force of law. Unless there’s legal protections, and fairly well enforced ones at that, I’m going to have some strong misgivings about how easily such information could be misused.
As far as I can tell, the choice is between having a bunch of places that know my sensitive credit information, or one place that knows my sensitive credit information. Give those options I’ll go for the one location.
In fact I have it right now. Its my bank. Id love for my bank to manage my digital identity if:
Websites would be able to validate me by my bank identity.
I could control the default information available to new websites (so that I could set the default of just allowing authorization, but now personal information or payments could be made to that site).
I could manage what each site could do (enabling some to be able to makes charges, etc).
I could view all the activity from websites using my information.
I could delete/block sites entirely so they wouldnt have any access to my identity.
The bank would warn about transactions from untrusted sources. Sending an email and delaying transactions to these sites until you validate that you really want the money/information sent.
I honestly can’t believe anyone wouldnt want something like this (and that the poll is against it). Why does anyone think having their information in dozens of different places is better?
I think it’s a great solution for generic non-important websites. Remembering a different password for every fucking site under the sun is a giant pain in the ass. Most people use the same login/password for every site anyway, which is worse than trusting a third party, since if any one website doesn’t hash your password client-side, they have all your info in their database and they can troll the net fucking with your e-persona.
An all in one ID would make it more valuable for hackers, thus more likely to be targeted. At least currently if one site gets hacked or one ID gets compromised the damage is minimal. But an all in one ID? Screw that. If my wallet gets stolen that means 10 different banks and companies I need to call. But if my unique Web ID gets compromised, that means, what, 50+ different Web sites I’d need to contact, with most of them not even having any customer service to speak of? No way in hell.
If this sort of thing comes to pass, I certainly wouldn’t use it on any site of consequence. Forums and news sites - maybe. But certainly not with my investment, banking or even PayPal account.
Besides, don’t security experts recommend you use different passwords with different sites anyway? Are you all that addled you can’t remember a handful of passwords for your own security?
I think you could still do those without the bank itself having to be the identity provider. Having my entire Internet identity tied to whether I do business with a particular bank or not would make me a bit uncomfortable.
The problem is that in order to be able to set policies on your banking account for how other sites can interact with it, it would have to be a truly universal system so that sites are identifying you to the bank the same way you do, and we’ve already got at least two systems mentioned so far in the wild. It becomes a lot more annoying if you have to register and manage a half-dozen different ‘universal’ ID systems with your bank.
(And as far as security goes, two-factor authentication on the universal ID should be an option, with individual sites like your bank able to force their own second-factor step. Then, at worst, compromising the ID and password lets somebody impersonate you on Qt3 but doesn’t let them get at your bank accounts.)
You are assuming that we would retain today’s security, just gather the passwords. With a digital identity there isn’t any reason to have passwords with the websites. You login to one place. Then whenever you access a new site you say “Im bob”, it asks the holder of your identity if you are really bob, they validate you and you are in.
You talk about risk to being hacked. From the bank side (assuming a bank is the holder of your digital identity) if a hacker can hack your bank account information, isnt it game over anyway? But this isn’t the side you dont trust (if so start stashing money in your mattress now).
Hacking the website side of the credentials those would only be valid for that website, stealing them wouldnt do any good. That and there is very little to actually steal on the website side. They dont have any reason to store your information.
If we move to real digital ID’s we can enforce encryption, proof of identity, and all the digital security measures we need. We cannot do that today because at some point we need to drop to the purely analog system of you typing in your username/password.
Anyway, I wouldnt assume that a universal ID isnt just a place to store passwords.
We dont need a truly universal system, we need a common protocol all universal system would comply to. Just like with email, its not that you and I have to use the same email system to send each other email, we just need systems that can talk to each other. Thats not so difficult to do. We may even have established protocols out there to do it (I dont see why we couldn’t use LDAP with a common schema for all systems).
Except I’m willing to bet that most people use the same password for everything anyways. And there’s many other things to worry about before hacking. Such as trusting the site you give your password.
Besides, don’t security experts recommend you use different passwords with different sites anyway? Are you all that addled you can’t remember a handful of passwords for your own security?
A handful? I started using Keepass, and I’m already at over 50. Remembering 50 simple passwords… with a mnemonic… maybe. But certainly not strong passwords.
Because they aren’t solving problems that don’t exist yet. Security measures tend to be reactive, they invent stronger security if the weaker security presented a problem.