And a revolution is what it's going to take.
If you are facing difficulties keeping track of your digital identity, it is not entirely "your problem". The edifice is starting to show a few cracks.
Banks are starting to talk about the increasing costs of handling calls from people who have forgotten their log-ins or who lock themselves out of Internet banking or broking applications as they key in a few half-remembered combinations in ultimately doomed attempts at trial and error.
But what's the alternative?
Microchips implanted at birth to identify us is one suggestion, that has – quite seriously – been privately favoured by a few terrorism-stunned US technology luminaries visiting New Zealand in recent years.
One long-touted concept is that people could be issued with smart cards or other devices capable of being plugged into a PC, containing digital certificates that could be used to authorise online transactions.
People would still need a pin or password to trigger the smart card to send its authentication code to the recipient, but they could select a single pin or password for their all their dealings with banks, ISPs, government agencies and less security-conscious entities without much danger.
This is because no one could use a guessed or stolen password to impersonate someone else online unless they were also in possession of the smart card.
ASB Bank's commitment to RSA Security's two-factor authentication technology involves a different technique to do a similar job, sending an access code to a person's mobile once they have entered a pin to log-on to Internet banking.
This does away with the need to have a smart card or other physical device for authentication, but ensures an impostor must have somehow nabbed your mobile phone as well as stolen or guessed your password in order to impersonate you online.
Potentially, a single smart card, or RSA intermediary for that matter, with a single pin or password, could be used to handle all of any individual's online authentication needs.
Kiwi entrepreneur David Lucas has recently focused entirely on trying to get a scheme off the ground whereby people would be issued with their own smart cards, which they would own and which they could use to control their digital identities in just such a manner.
Might this be a palatable way to introduce a form of voluntary national identity-come-bank and loyalty card that could be used to express people's identity in both the physical and virtual worlds?
The single-mindedness with which Mr Lucas has pursued his vision, against the odds, is unusual in the world of commerce and it is tempting to dismiss his endeavours simply on this basis, but the idea will appeal to some.
It seems a shame that when the State Services Commission's E-Government Unit this year decided to carry out public consultations on how the Government should go about authenticating people's identity online, it kept a tight reign on its imagination.
It chose to ask small questions, such as whether people had a preference about which agency might manage the process of dispensing passwords to citizens.
That's a big deal if you are in the business of the bureaucracy, but a pretty trivial one otherwise.
Do people want something akin to a voluntary (or even compulsory) electronic national identity card that could also double as a driving licence and library card and be used to mediate all e-government transactions?
What if the Government could persuade banks and other private sector organisations to accept such a card as proof of identity, so a single electronic ID card could be used whenever people went online and so do away with the need for a plethora of pins and passwords?
Do people trust government agencies to keep information people provide secret from other departments with which they are not allowed to share it? Could more be done to assure people their privacy is not threatened by technological advances in online authentication?
If government departments are going to have more tools to share information about citizens between one another, does some form of institutionalised discretion need to be built into public sector processes which might see people given leave to do things which aren't within the rules, but which don't do too much harm and which they might now get away with?
If people are going to deal with the Government online using conventional password-based security, should they be expected to keep that password in their heads and bear the consequences if it is accidentally disclosed? If not, who should bear those consequences?
How many password and pins should people be expected to memorise?
The Government doesn't want to have a debate about anything that raises the spectre of a national identity card – voluntary or otherwise.
So by and large these are questions that the Government has so far been simply too afraid to ask the public. But they aren't going to go away.
Quelle: stuff
