Radovan Semančík's Weblog

Dear Americans.

It looks like you somehow neglected even the basic security best practice in your business lives. You are using SSN and mother's maiden names as (presumably secret) authentication credentials. You are using it for credit applications, opening bank accounts and all sorts of other activities that can affect your financial situation and/or reputation.

When you are creating a free e-mail or social network account, would you put SSN or mother's maiden name as a password? You would not! Why? Because it is so trivial to find these information out for anyone with a bit of motivation to do so. Yet your companies use these publicly available data to authenticate customers. And you still wonder that identity theft is flourishing?

Your very own Whitfield Diffie made it clear: "A secret that cannot be readily changed should be regarded as a vulnerability". Can readily you change your SSN or mother's maiden name?

You still fight against any kind of authentication mechanism that might make your life easier. Is password the best security mechanism you can imagine? I do not know of any bank in Slovakia that does not have two-factor authentication for Internet banking access. I do not know of any organization here that would give you any sensitive personal data while you present only a name and SSN. You cannot get a loan of any substantial value in Slovakia without showing up personally and presenting a valid ID card. I think that having an ID card protecting my money and reputation is a feature, not a loss of any of my liberties. Yes, the theft is still possible, as the authentication credentials or ID card can be stolen and modified or forged entirely. But that's not an easy process and the theft is therefore quite limited.

You still talk about the lack of privacy and the rise of identity theft but you are failing to introduce any effective legislation. We have the EU directive on personal data protection, which regulates the collection and especially the use of personal information. The directive is far from perfect, but even in its current form is better than what you have - almost nothing. On the other hand you make what you can to make identity theft easier: you allow anyone to get a credit report of anyone other (by paying some small amount of money), you make the databases containing personal data public. You even have (legal) business built on the concept of harvesting that data for anyone to easily use (if he can pay for it).

The technology will not solve these problems. No amount of OpenID, CardSpace, SAML or any other marketing brochures and presentations can solve the problems in society and in legislation. Please correct the problem at its root and do not try to cover it by technology.

Do you care what's happening recently (or not that recently)?

Microsoft has acquired Stefan Brands ... uh, sorry ... Credentica. And since that you can notice increased frequency of words U-Prove and anonymous credentials in Kim Cameron's blog.

SXIP was acquired by Ping Identity. I hope that step will not lead Ping astray. Oh BTW, talking about Ping: If you missed the Great Identity Battle of Thousands Against Few, go check it out. It is worth it.

Kim Cameron and Dave Kearns are arguing about the meaning of word metadirectory. The argument is long and not really interesting. Let's skip that.

Some bloggers are discussing the Identity Hub and Identity Bus concepts. Or would it be better to say buzzwords? It has all the symptoms: nobody really knows what does it mean, it sounds great and it does not really works. Hmmm, we are creating buzzwords. Maybe that means Identity is transitioning from the Geek Phase to the Hype Phase?

OpenID is gaining acceptance. That's the most unfortunate but not unexpected trend.

A plastic foil that can be used to impersonate a German minister was published. I think that's a great demonstration of the limitations of biometrics that seems to be quite obvious to a few but almost invisible to the majority (including decision-makers).

An excellent (and short) summarization of Identity projects was published by Jeff Bohren. I haven't heard anything more appropriate in years. My one of my colleagues working on IdM projects had a remark that he zcould add a few more sub-stages.

European Identity Conference is just about to happen in Munich. Although there are few big names and it happens almost around the corner from my home, I feel no motivation to go there.

... well, yet another month in our little Identity Town.