We all wanted the sun to come out and the potential for Seasonal Affective Disorder (SAD) to go away. We got what we asked for. Instead of what we thought was unbearable chill and drizzle, we now have something that truly is unbearable — a heat index of 100 degrees. All things considered, we are very lucky. The authentication working group met at the Center for Strategic and International Studies on Monday. I wish I could report that all is well and that we made great progress in moving the ball forward in the quest for digital id’s, authentication, PKI (public key authentication) and all the attendant benefits.
The meeting was well attended — roughly 40 people. The group was widely diverse including the Government Services Administration, the U.S. Treasury Department, Office of Management and Budget, IBM, Oracle, Microsoft, Verisign, organizations representing the mortgage industry and banks, and various consultants and technology firms. There was a lot of expertise in the room. That was the problem — there are too many smart people and they all have opinions and constituencies. Getting all the views on the table is a bit like boiling the ocean. People want everything to interoperate with everything and represent all the people — and all the devices — of the world. The action plan was to invite more people to attend subsequent meetings, split the group into two parts and then create some principles to lead to a consensus on how to create a framework for an approach that could lead to the inclusion of all the views and then strive for some principles to …. Yikes! In fairness, authentication involves a really profound and complex set of issues. (If you want to read the background paper from the CSIS, click here. Warning: this is not a five minute read). Also, in fairness, I have to say that Jim Lewis, Director, Technology and Public Policy Program at CSIS is doing a great job. He has the impossible task of including all the relevant parties and developing consensus on what to do. Like herding cats.
I offered a simple idea at the end — why don’t we simplify things. Why not create a prototype in one city, say Philadelphia, that could include one thousand people consumers, one state and one federal government agency, two banks, an insurance company, a hospital and a university. By making the domain smaller it may be possible to get something working and be able to study it, make a case study of it, and most importantly, iterate in baby steps on the it to try to achieve the goals of all the participants. Think big, but no grand plan. A small plan and then iterate like crazy. When you think about the incredible power of the Internet, the World Wide Web, WiFi, and blogging, you realize that none of these came about from a grand plan. Authentication and digital ID’s can actually work. There are many examples.
A recent cruise served as a lesson for me on how digital ID’s can be successfully deployed and used. Prior to boarding the ship, each person had to show a cruise ticket plus either a passport or driver’s license. One of these documents served as the basic authentication for each person and was followed by the issuance of a “boarding pass” – a plastic credit card with passenger name and folio number on the face and a magnetic stripe on the back containing identifying information. Upon boarding the ship each passenger had to insert their card in a reader and then look at a camera which captured a facial picture. When the ship reached the first port, passengers were given the opportunity to go ashore. To get off of the ship, each passenger inserted their card in a reader and went ashore. Upon re-boarding, the passenger inserted their card in the reader again and their picture would be instantly retrieved and displayed on a monitor for the security person. At any point in time, the ship’s officers knew exactly how many people were on the ship and how many were not. If all had not re-boarded in time for a continuation of the cruise, the ship officers would know exactly who it was that was missing — and what they looked like. On one shore visit, I lost my card. When I explained the loss upon re-boarding, the security officer asked me for my stateroom number and name. After I told him, he keyed the information into their system and my face instantly appeared on the screen. After this re-authentication, my lost card was “deactivated” and a new card was issued.
The example is real but admittedly in a closed environment with no interoperability requirements. However, could the principles of what the ship did be extended to the Philadelphia prototype for a handful of applications? And then it could be extended by adding more applications, more consumers, more institutions of various kinds, etc. etc. Think big, start simple, grow fast.
- A paper called Internet Security – the glass is half full not half empty which I wrote in 1999 that describes the role of authentication