Jon Udel zeros in on the problem of web sites that introduce “novel” authentication schemes once these schemes start to proliferate. I had the same concerns when I set out the seventh law of identity (consistent experience). Jon says:
Several months ago my bank implemented an anti-phishing scheme called Site ID, and now my mortgage company has gone to a similar scheme called PassMark. Both required an enrollment procedure in which I had to choose private questions and give answers (e.g., motherâ€™s maiden name) and then choose (and label) an image. The question-and-answer protocol mainly beefs up name/password security, and secondarily deters phishing â€” because Iâ€™d notice if a site I believed to be my bank or mortgage company suddenly didnâ€™t use that protocol. The primary anti-phishing feature is the named image. The idea is that now Iâ€™ll be suspicious if one of these sites doesnâ€™t show me the image and label that I chose.
When youâ€™re talking about a single site, this idea arguably make sense. But it starts to break down when applied across sites. In my case, thereâ€™s dissonance created by different variants of the protocol: PassMark versus Site ID. Then thereâ€™s the fact that these arenâ€™t my images, theyâ€™re generic clip art with no personal significance to me. Another variant of this approach, the Yahoo! Sign-In Seal, does allow me to choose a personally meaningful image â€” but only to verify Yahoo! sites.
These fragmentary approaches canâ€™t provide the grounded and consistent experience that we so desperately need. One subtle aspect of that consistency, highlighted in Richard Turnerâ€™s CardSpace screencast, is the visual gestalt thatâ€™s created by the set of cards you hold. In the CardSpace identity selector, the images you see always appear together and form a pattern. Presumably the same will be true in the Higgins-based identity selector, though I havenâ€™t seen that yet.
I canâ€™t say for sure, because none of us is yet having this experience with our banks and mortgage companies, but the use of that pattern across interactions with many sites should provide that grounded and consistent experience. Note that the images forming that pattern can be personalized, as Kevin Hammond discusses in this item (via Kim Cameron) about adding a handmade image to a self-issued card. Can you do something similar with a managed card issued by an identity provider? I imagine itâ€™s possible, but Iâ€™m not sure, maybe somebody on the CardSpace team can answer that.
In any event, the general problem isnâ€™t just that PassMark or Site ID or Sign-In Seal are different schemes. Even if one of those were suddenly to become the standard used everywhere, the subjective feeling would still be that each site manages a piece of your identity but that nothing brings it all together under your control. We must have, and Iâ€™m increasingly hopeful that we will have, diverse and interoperable identity selectors, identity providers, relying parties, and trust protocols. But every participant in the identity metasystem must also have a set of core properties that are invariant. One of the key invariant properties is that it must bring your experience of online identity together and place it under your control.
The “novel authentication” approach used by PassMark and others doesn't scale any better than the “pocket full of dongles” solutions proposed by Dongle queens or – for that matter – than conventional usernames and passwords.
So far Information Cards are the only technology that both prevents phishing and avoids the novel authentication and multiple dongle problems.
By the way – if what Jon calls the “dissonance” problem that arises from the use of different images and questions on web sites were to be overcome by reusing the same images and questions everywhere, things would only get worse!
Once sites begin to share the same “novel authentication” model, you no longer have novel authentication.
In fact you return full circle to the deepest phishing problems. Why?
If you went to an evil site and set up your reusable images and questions, you would have taught the evil site how to impersonate you at legitimage sites. Thus in spite of lots of effort, and lots of illusions, you would end up further behind than when you started.