The dangers of a single identity

The focus on having a single ID you can use everywhere ignores how the world actually works, in a scary way

I'm tired of juggling multiple user IDs and passwords on all the websites, computers, and apps I use every day. I'm sure you are too. I have five separate IDs and passwords for work, as many for services at home (from iTunes to my alarm-company ID), and about a dozen for banking, e-commerce, and business services I use via the Internet, from to my Web domain's management console and FTP credentials. Granted, most people don't have the last two, but there are too many versions of proving it's me for me to remember.

Because the problem is common, the industry periodically goes into "one ID for all" thinking. A few years ago, RSA was hoping to furnish the authenticated single sign-on that all providers would use, sort of a DNS registry for identity. RSA's effort failed because no one wanted to pay RSA an ID tax on each access or ID used. And having just one repository seemed quite scary: It'd be a great target for hackers. (Those fears were later justified by RSA's failure to prevent its own SecurID system from being hacked.)

[ InfoWorld's Galen Gruman advocates that users should be able to charge providers for access to their personal information. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]

Today, the magic bullet is using OpenID or Facebook as a common sign-in across websites. OpenID has been around for years but hasn't really gained traction. And the notion of trusting Facebook as a central repository would be laughable if not so scary: Facebook violates its users' privacy routinely and shouldn't be trusted with anything important.

But say there were a trusted entity you could use as your identity manager and validator, sort of like a Social Security number that websites could validate against. Shouldn't we all adopt it?

Absolutely not.

Such systems are inherently dangerous. Fake and stolen Social Security numbers abound, for example. Any single ID would face the same abuse -- and once your single identity is compromised, you're screwed. You can no longer prove who you are. If you think recovering from identify theft is hard, wait until your single identity is compromised.

Plus, identity is much more than a username and password, biometric scan and password, or whatever system you want to use. Also, though we all may be individuals, we could have multiple personas. The "me" you read at InfoWorld is a persona for my role as a technology commentator. The "me" in my how-to books is different as well. The "me" my friends and family know is different. The "me" at my bank, Amazon, and iTunes are all different. The "me" at my insurer and my HMO is different. Yes, it's the same me at the core, but each persona has a different purpose in the context it operates, so I tune it for that use.

For example, in my blog, I'm more extreme than I am when writing a how-to book or conducting an interview on stage -- the goals of the venues differ, so my personas do too. Likewise, my LinkedIn profile is different from my Twitter profile, which would be different from my Google+ profile if Google's algorithm hadn't summarily closed it down or my Facebook profile (if I were foolish enough to have one). They're for different purposes, so I tune who I am based on those purposes, just as we all do when at a work event, at a home party, on a bus, when interviewing for a job, and so on.

1 2 Page 1
Page 1 of 2