OK, I know it, you know it, this post is going to be a rant. But within the rant there is a serious question and request.
Why the hell do we STILL have so many usernames and passwords?
Why does EVERY website need to maintain their own security? Especially when applying and managing that security is not their primary skill or concern, and worst, some just plain don’t care about it.
I have dozens and dozens of usernames and passwords. Some I reuse for sites I don’t deem to be that unsafe and some I keep unique for that particular service. I have worked some routines for managing this, such as using “Keychain Access” on my Mac and storing usernames and passwords in the browser. For more secure usernames and passwords, I write them down in a cryptic manner that only I would understand or just try to remember them all. The problems with trying to remember the important ones is that my memory is truly awful, and when it comes to sites I only access infrequently, I have no chance.
So, my question is… why do I STILL need multiple usernames and passwords? I am me whatever website I go to. I am me when I go to Amazon, I am the same me at my bank and eBay. I am me, the same me and the only me.
An alternative for the 21st Century?
Surely, rather than me creating many user accounts, usernames, passwords, profiles all that stuff that stays the same should just be created once? Why can’t I have a simple profile service that I go to and put in all the information that I want to share and then specify what services I want to expose the different pieces of information to?
If I want to let eBay, Amazon and PayPal access my credit card details, then I can set it there. If I have to update my Credit Card, then I only have to do it once and not just wait for a payment to fail 50 times before I manage to update it on every site that uses my card. I would also be able to see exactly which services have been requesting access to that information, and the services that I have not (yet) authorised or shouldn’t be accessing it.
A business perspective
Taking this to a level above consumer access, I work as a consultant for many different clients, often some at the same time, so I also have logons for each of them, again, to protect my clients, I have to keep them different, and most of them make me change the password every 30 days! Why can’t a company just get rid of their usual Active Directory (sorry Microsoft) or other authorisation server and just say, yes, let Mark Stokes have access to this service or that. Easy. Takes this requirement away from businesses who may or may not be very good at it, and save them all a bunch of cash on maintaining the services and on paracetamol for the headaches!
The same with profiles
The same goes with Profiles, as I have just mentioned. I have to maintain a profile on Facebook, MySpace, Flickr, Google, MSN, Twitter and a hundred other sites I am a member of. In virtually all of these cases my interests are the same, my contact details are the same, my friends are the same. I only want to put that stuff in once and then state where I want that information to be displayed. I moved house back in November and made a list of all the places that I needed to update my address, and I can tell you, 4 months on I am STILL updating my address in some places. And in many places my address is where I lived 4 houses ago!!! It’s crazy. It can’t be good for the Royal Mail either, all that post that goes to the wrong place and has to be binned (environmental) or re-delivered to a forwarding address.
A Question of Trust
So, we come on to the nitty gritty of it.
If such a service WAS to exist, who would own/manage it?
Could we have a single government control the worlds user directories? Could it be split between every government to manage their own citizens?
Should a global organisation operate this service? In the same way ICANN controls internet names and numbers?
Who could be trusted to run such a service?
The power this organisation would have would be incredible. And what if it wasn’t securely implemented and there was a breach? Once a users single point of access has been breached, a hacker would have access to ALL that persons services.
Where to next?
There are a couple of initiatives that are trying to gather pace, such as OpenID.
I just hope, and prey that some internet bods much more intelligent than me are on the case and not too far off bringing a service to the world. It would free up SO much of my time, and companies time and money. The needs it… I need it.
Let me know your thoughts and comments on this.