Showing posts with label id management. Show all posts
Showing posts with label id management. Show all posts

31 July 2009

Why Single Sign On Systems Are Bad

Wow, here's a really great article about identity management from, um, er, Microsoft. Actually, it's a rather remarkable Microsoft article, since it contains the following sentences:

On February 14, 2006, Microsoft Chairman Bill Gates declared that passwords would be gone where the dinosaurs rest in three to four years.

But as I write this in March 2009, it is pretty clear that Bill was wrong.

But it's not for that frisson that you should read it; it's for the following insight, which really needs hammering home:

The big challenge with respect to identity is not in designing an identity system that can provide SSO [Single Sign On], even though that is where most of the technical effort is going. It's not even in making the solution smoothly functioning and usable, where, unfortunately, less effort is going. The challenge is that users today have many identities. As I mentioned above, I have well over 100. On a daily basis, I use at least 20 or 25 of those. Perhaps users have too many identities, but I would not consider that a foregone conclusion.

The purist would now say that "SSO can fix that problem." However, I don't think it is a problem. At least it is not the big problem. I like having many identities. Having many identities means I can rest assured that the various services I use cannot correlate my information. I do not have to give my e-mail provider my stock broker identity, nor do I have to give my credit card company the identity I use at my favorite online shopping site. And only I know the identity I use for the photo sharing site. Having multiple identities allows me to keep my life, and my privacy, compartmentalized.

Yes yes yes yes yes. *This* is what the UK government simply does not want to accept: creating a single, all-powerful "proof" of identity is actually exactly the wrong thing to do. Once compromised, it is hugely dangerous. Moreover, it gives too much power to the provider of that infrastructure - which is precisely why the government *loves* it. (Via Ideal Government.)

Follow me @glynmoody on Twitter @glynmoody and identi.ca.