There’s a problem brewing in social media and the online world that we haven’t addressed: authentication. This is a two-pronged problem that has serious consequences as more and more of our economy, identity, and personal/professional lives move online. The rise of the Internet paved the way for information to move online but social media has amplified both the positive outcomes and negative risks of having that data in a networked environment. Understandably, our main concern right now is privacy and the FTC’s giant report on the issue is a great step. But the next step is solving authentication in two different ways.
Passwords. Right now, passwords are a joke. Not the idea of them—of course it’s a good idea to keep accounts protected. But the protection itself is a joke. I bet you have a list of passwords somewhere. It’s almost a requirement these days given the number of sites that have completely different rules for setting passwords. Some sites require 6-character passwords. Others must be exactly 8. Others must be at least 8. Include a number. Include a special character. Don’t include this character. No spaces. Have spaces. The rules are arbitrary because some sites think they have the best solution for the most secure password ever and others don’t care the least.
There’s a great xkcd cartoon about password strength. It’s right about how you can make stronger passwords that are easier to remember but it misses the point that your password doesn’t follow you, it follows your account. One site may not allow the same password (for spacing reasons) as another. Or the site may force you to change your password periodically.
The net result is that with all these sites trying to make our accounts more secure they have collectively made our accounts less secure. Now we all have a list somewhere (not very secure) or we reset our passwords a lot (also not secure). We need security to follow us, the user, not the account.
Identity. Protecting an account with a password lets the user access that account but it does nothing to verify that the person is who they claim to be. For many years on the Internet, this didn’t matter. You created a nickname and handle and just used that. Or an online service assigned you a long number and that was your name. But gradually the technology evolved until our current state of social media allows you to be an actual person.
But there’s no way to prove that. Twitter and Google and others have verification programs but it’s limited to celebrities or highly-trafficked accounts. And we’ve all seen plenty of spam accounts that look like real people but they’re stock photos and fictitious names.
In 1993, The New Yorker published a famous cartoon that gave rise to the phrase “On the Internet, nobody knows you’re a dog.” Nearly 20 years later and that’s still true. Think of the leaps and bounds we have made in terms of technology and information sharing and our virtual communities and it’s shocking that we are no more advanced in our online canine detection ability.
These two problems are collectively about authentication. And, no, sadly I do not have an answer. I’m sure there are dozens of companies who believe they have an answer to this but I’m not sure this is one the market can solve, nor perhaps should it be.
The government right now issues drivers licenses and passports. It gives us social security numbers or national insurance numbers. And while those systems may not be perfect, they are highly sophisticated. Despite what you see in the movies, one cannot go to a rusty metal building to find someone who has a strange printer that can make authentic passports. Drivers licenses and passports are constantly being upgraded to prevent fraud and be more secure.
There’s plenty of debate over what the government should or should not do, but I think providing a common platform for its citizens is a good thing. And in terms of providing a verified identity, the government is already doing this (to collect taxes…always a good idea to follow the money). The best a private company could do is mirror the functionality that the government already has done.
The government’s role in identifying people is probably insufficient for today’s online use—it does need some security beyond “don’t tell anyone your number unless they absolutely need it.” But if our governments could work with technology experts to combine security with identity then the authentication problem could have a very real, very workable solution.