For a non-expert, I do a fair bit of ruminating about the relationships between identities, credentials, and avatars/facets. Today a bug related to Google's (covert) Identity Integration initiatives, a recent flurry of stories on the endtimes of password based security, and the earth's orbit have got me chewing again.
I'll deal with the earth's orbit by making my solitary 2011 tech prediction. 2011 will be the year of two factor authentication and the gradual realization that management of digital identities is too important to be left to Google, Amazon and especially Citicorp, Facebook, and AT&T/Verizon.
So if we can't rely on Google (or Facebook) or Citicorp to manage our digital identity, including claim resolution and identity control, who can we rely on? What are the other alternatives, assuming that almost none of us will run an identity service out of our homes?
Obviously, government is an option. The (US) Federal government, for example, makes a robust claim on my identity. That claim, however, is so robust I would prefer to separate my obligatory IRS identities from all other identity related services. In any event direct US government identity management is a political non-starter. The right wing will start ranting about beastly numbers and rationalists will fret about the day Bush/Cheney II takes power.
That leaves business entities with strong governmental relationships, extensive regulation, and a pre-existing legal framework support that could be extended to support identity management.
An entity like, for example, the United States Postal Service (USPS).
You laugh. Ok, but consider the advantages:
- The USPS has been in the business of managing confidential transactions for centuries.
- There are post offices in every community that could support the person-present aspects of identity claims.
- It's a regulated quasi-governmental agency that already exists.
- The USPS manages passports
- Much of the legal framework used to manage mail and address information could be extended to manage digital identities.
- The USPS is dying and is desperate for a new mission.
I admit, it sounds crazy.
Except ... I'm far from the first person to think of this. It was proposed by (cough, choke, gag) Michael Chertoff ...
... former Department of Homeland Security Secretary Michael Chertoff ... mused that the USPS was ideally situated to take part in the evolution of the government’s role in validating identity. He points out that the Post office is already the primary issuer of passports – an extremely important piece of personal identity. In the speech he expands on that model as follows: “one of the things I hope to see is, as the Post Office re-engineers itself over the next, you know, few years, they increasingly look at whether they can be in the business of servicing identity management. They can – because every town has a post office.”.... DHS: Remarks by Homeland Security Secretary Michael Chertoff at University of Southern California National Center for Risk and Economic Analysis of Terrorism Events
I can't believe I find myself agreeing with Chertoff, but there you go. What a way to start 2011.
See also (Gordon's notes unless otherwise noted);
- The Buzz profile problem: I am Legion (2/2010)
- Trust and credential management: MyOpenID (9/2010)
- Google's two factor authentication and why you need four OpenID accounts 
- Gordon's Tech: Rogue Twitter/Google feedburner connection - first of the Great Google Identity Integration bugs (1/2011)
- Juggling identities: Udell, Cameron and Identity Woman (3/28/2008)
- Wanted: an identity management service. Business model included. (3/5/3008 - I suggest Denmark)
- Fraud technologies use persona cloning to attack social networks (11/2007)
- Gordon's Tech: After the Gmail hack - passwords and security (9/2010)
- Gordon's Tech: Yet another identity of mine: MyOpenID (12/2007, before I gave up on OpenID)
- Gordon's Tech: identity
- Gordon's Notes: Identity
- Gordon's Notes: Security
 Incidentally, now that my kateva.org Google Apps users have Blogger privileges, and since Blogger is supposedly an OpenID provider, I'm thinking of implementing this using Blogger/Google Apps/Kateva.org
Update 1/8/11: A few days after I wrote this news emerged of a federal identity and certificate management initiative. Maybe I'm psychic.