One of the many hassles of the “multi-device per person” era we now find ourselves in, is the need to constantly log-in to each of our devices and password-protected web sites/online services multiple times a day. Jumping between devices generally makes the problem even worse because—for good reason—the process of logging into a particular site or service from one device does not automatically transfer to another (think lost phone).
Some people get so fed up with the process, they turn off basic password protections, but in our increasingly insecure digital world, that’s not a particularly wise move. Instead, what we need is an über log-in (no, not the car service) that serves as an overarching identification of ourselves and our digital credentials across devices, sites and services: a portable digital identity. The idea is that you log into a device and/or service that, in turn, can automate the process of logging into other sites/services from any of your devices.[pullquote]What we need is an über log-in (no, not the car service) that serves as an overarching identification of ourselves and our digital credentials across devices, sites and services: a portable digital identity.”[/pullquote]
Of course, to achieve that nirvana, there’s quite a few steps that have to be taken. Plus, the implications of a true portable digital identity go way beyond simple device and password log-in management.
First, a genuinely trustworthy way to establish your own identity is essential. Between multi-factor authentication schemes, biometric sensors, smartcards and other hardware-based security solutions, there are a number of technologies to help enable this now. Unfortunately, though they are improving, none of the ones I’ve tried work reliably 100% of the time.
Assuming that issue can be addressed, however, there are other concerns. Once your digital identity is established, you need to create a personal circle of trust—for all your devices and all your subscriptions/services/password-protected sites. This central repository of log-ins/credentials/password-protected sites needs to be encrypted and must offer a way for individuals to access and manage it. Ideally, the system could create complex passwords on your behalf and regularly change them across all your various services, ensuring the highest possible security.
Of course, there’s a risk there because if something were to happen to that password creation/management system, it may be impossible to get to all your accounts. In fact, concern over this issue could keep many people from even wanting to try a true digital identity service.
The security and trust factors would also be enormous issues. Needless to say, access to this type of centralized repository of personal information would be incredibly attractive to hackers and other digitally nefarious types. It’s also likely to raise questions about trust in technology and technology companies to a very different level. Let’s face it—there are some companies many people trust and others that many people don’t.
In fact, I wouldn’t be surprised to eventually see demands for some type of certification program for portable digital identities—and I also wouldn’t be surprised to see it eventually came from the government. Now, before you dive into political discussions, in essence, what I’m describing is the digital equivalent (but much more flexible version) of a US social security number or other government ID system. Plus, despite any concerns you may have regarding government oversight of such a system—and yes, there are many—do we have any sense that most tech corporations are truly more trustworthy than government? (Obviously, that’s dependent on where one lives in the world.)
Up until now, most discussions of digital identities have been more ethereal discussions about passwords and basic tracking of activities, but as Internet-based services become an increasingly essential part of nearly everyone’s lives, doesn’t it make sense to raise the discussion up several notches? At some point in the not-to-distant future we likely will all have some type of formal digital identity, so why not start the discussion now? But I digress…
Regardless of whether digital identity services have any tie to government or not—and for the record, I expect initial efforts will happen through tech companies, for better or worse—the possibilities for them go far beyond the simple convenience of maintaining passwords.
First, there’s enormous possibilities for online and mobile commerce. Future mobile devices are likely to carry our portable digital identity buried inside them. By leveraging some type of biometric sensor, whether that be simple fingerprint or more complex possibilities that could show up in connected wearables, the whole purchase process could be simultaneously sped up, simplified and made more secure through the adoption of digital identities. The trick here, of course, is to get all the various interested parties—banks, retailers, credit card companies, etc.,–to agree on a single (or at least manageable number of) standard(s). That won’t be easy and provides yet another reason why there may need to be a government-based or sponsored clearinghouse for this information and these standards.
Portable digital identities could also be critical for digital health and the modernization of medical records and patient care. Tying digital identities to online storage and other personal cloud-like services, such as iCloud, SkyDrive, GDrive, Dropbox, Box, etc., also ensures that all our data is available to us through whatever devices we tie to our digital identity. In fact, it wouldn’t surprise me if we saw these types of personal cloud services turn the equation around and serve as the home base for our portable digital identities. What better way to get people tied into a service than to truly bring all their critical information together in one place?
There’s a long way to go—and numerous bumps along the way—to reach the kind of full-fledged portable digital identity I’ve described, but I believe we’re starting to see some baby steps in this direction. At both Apple’s WWDC and Google’s I/O events, we saw each of these major platform providers start talking about the ability to move seamlessly between multiple devices you own and share information seamlessly across them. Though they start from more of a device and data perspective, underlying both of these is the basic sense of a digital identity that serves as the glue which ties the experience across devices together. I expect both these companies, as well as Microsoft, to build on those ideas and start to put together services that tie devices and information together into a form of a portable digital identity—and I think we’ll see them relatively soon.
The increased digitization of our lives and the things that we do in them raises a number of interesting questions, challenges and implications. Core to these is our own sense of digital identity. Understanding what form that identity will take and what path we take to determine it is certainly far from clear, at this point, but the journey is going to be fascinating to watch.
Like “The Graduate”, “one word – continuity”
It is trust, more than money, that makes the world go round. ~ Joseph Stiglitz
iBracelet = portable identity. As you outline in the article, a portable, seamless, secure identity is the foundation of so many jobs-to-be-done. If all the iBracelet did was prove/carry my identity and allow me to more easily and securely use my devices and services, I’d pay $99 right now. I suspect the iBracelet will do a good deal more than that though. And yes, it won’t be called iBracelet, but I do think it’ll be more of a bracelet and less of a watch.
One other thought, I’m not sure what we need is a new ID system, what we need is a ‘proof of ID’ system.
iPhone + Touch Id + iCloud Keychain already covers about 90 % of my online security. Of course Touch Id is mostly theoretical right now[1] but the writing is on the wall after the last WWDC. I just need the other 10 % to allow normal username/password pages instead of blocking autofill based on a misguided notion that it is more secure.
[1] Beta version of 1Password is already using Touch Id.
Yes, just saw the news of 1Password today and it appears to be very similar to some of the capabilities I was describing…
Imagine a wrist band like the one used at Disney World (see Tim Bajarin’s “Understanding Apple’s Wearable Strategy”) combined with fingerprint ID. This combination would be your digital identity, used to access each of your devices. This idea does not need a central repository of log-ins/credentials/password-protected sites. And if you lose your phone, no one can get access to it.
This concept does mean that you must not lose your wrist band (although if you did, it would be useless to anyone without your fingerprint). My answer to that requirement would be to never take the wrist band off unless you’re home. I suspect no digital identity system will not involve a cost of some kind.