I’ve been reading Emily Nagel’s book “Anywhere“. She’s the CEO of Yankee Group and the book is about global connectivity revolutionising business. I hope she won’t be offended if I say that it’s an “airport book”, but it’s an accurate description, at least for me, because I read it on the plane. There’s something that bothers me about it, though. It has lots of stories and examples and narrative about ways in which business is transformed as it goes online, but it doesn’t have “identity” or “authentication” in the index and says nothing about the identity problems that will need to be solved in order to realise the full potential of connectivity. As I’ve often observed before, using my favourite Kevin Kelly classification, connection isn’t the problem: it’s the disconnection technologies that will shape the medium-term roadmap for transforming new technology into business models: once everything is connected to everything else, the business model shifts to the creation and management of subgroups within that single, giant internet of everything.
Here, things aren’t going so well. By coincidence, the Saturday newspaper that I picked up after putting down Emily’s book had a technology advice column, and there was a letter from a typical consumer in it. I paraphrase:
I have a long list of passwords for home banking, shopping, social networks, magazines and so on. I’ve put them all in a Word document. How can I encrypt it?
This is, in a nutshell, the state of the mass market today. We all have masses of passwords, we’ve been complaining about it since 1994, and nothing much seems to happen, largely (I think) because the costs of our time don’t factor into business models. And yet… we don’t seem to be evolving any better business models and we don’t seem any closer to better identity infrastructure. Should we give up? No! I say we should remember William Samuel Henson.
It is sad that the name of William Samuel Henson is largely unknown today. A man of great vision, he petitioned Parliament for permission to set up an airline — with a business model largely based on post — flying to Egypt, India and China. Parliament turned his proposal down on the grounds that it was 1843 and no-one had invented airplanes yet. Henson knew this, obviously, but could see which way technology was evolving and correctly reasoned that just because he didn’t know how to get an airplane off the ground (he had been involved in numerous experiments around powered flight), that didn’t mean that no-one else would. And when they did, there would be a new business to build on aviation technology. So he started thinking about the businesses that would make sense and, since the post had just been invented in the UK, he looked at how that might work in the future.
This is a parable of our identity space now. We can’t get the technology to work, but we know that someone will, so we’re trying to think of business models (I should be clear in our case: we’re trying to think of business models for our clients) that will make sense when the technology works. But we’re thinking about web browsing and e-mail because these have just been invented and they’re our equivalent of the post service. Maybe we should challenge ourselves harder to look at wider possibilities, start from the perspective of social networking, virtual worlds and Twitter rather than Alice sending her credit card details to Bob.
Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.[From Facebook: the heart in a heartless world | spiked]
I think many organisations should be focusing on the next phase of evolution of online business, and phase that will be fundamentally shaped by the emerging identity infrastructure. But we must be careful not to take what has just been invented (in this case, say, Facebook) and project it into the future as the key to new business models. We have to think more broadly to develop strategic roadmaps for business that can react to the general trends to exploit the technology downstream. An example? Well, it doesn’t matter which social network we’ll be using in five years time, we’ll still need to authenticate ourselves in a more effective way that a Word file full of passwords. It isn’t only me that thinks this.
The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.
For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security.[From NFCNews | Potential technologies that consumers may use for online ID]
There follows an interesting, but confused, list of options. I’d like to suggest a more straightforward taxonomy, based on a digital identity infrastructure (which doesn’t exist, of course). The article, to my mind, confuses the distinct bindings between the virtual identities that exist in the Net and the real identities that are connected to. This is why it is useful to introduce the notion of digital identity in the middle. So then we get the two categories of things that might be used to solve the
- Linking virtual identities to digital identities. The article suggests that digital certificates and PKI might be a good way to do this and I agree. Think of a digital identity as a private-public key pair … tamper-resistance… smart cards, tokens, smart phones.
- Linking digital identities to real-world entities. The article suggests that passwords will be supplanted by biometrics.
Each of these will be a separate business that operates according to difference scale factors (scale in the first case, scope in the second). I don’t know how to make them work, but someone will.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
I clicked on the link to read the NFCNews article. You have to register. It says:
“For just $49, you receive unlimited password-protected access to content on all of AVISIAN’s sites for an entire year. Your subscription helps fund the continued creation of independent, insightful content. Find out more”
I suppose it’s a bit like Mr Henson having to watch Palmerston send his declaration of war on China by ship.
(Incidentally, the voyage was so long that the ever practical Palmerston sent the peace treaty at the same time.)
Anyway, be that as it may, I haven’t managed to read the NFCNews article so I don’t know what it says about biometrics.
But what it had better say is don’t hold your breath.
It would be terribly useful if mass consumer biometrics were reliable but, according to (the?) three leading academics in the field, they’re not, please see ‘Fundamental issues in biometric performance testing: A modern statistical and philosophical framework for uncertainty assessment’, http://biometrics.nist.gov/cs_links/ibpc2010/pdfs/FundamentalIssues_Final.pdf
The lack of statistical control in biometrics, they say, is such that technology tests, scenario tests and operational tests of biometric technology tell you nothing, the results cannot be used to construct a valid argument in favour of investment in biometrics.
Maybe one day biometrics will come under statistical control. For the moment, we’re going to have to digitally transact as best we can without them.