Wired Magazine recently announced that Google is working on a new identity protocol as an alternative to legacy username/password login. The protocol is designed to be integrated across a wide range of authentication hardware, including SIM cards, Yubikey NEOs or a ring you carry on your finger. It is primarily based on open standards, so not really revolutionary as it is. However, if implemented cleverly, the protocol holds the potential to solve some of the fundamental problems with online identity. And these are problems we need to fix soon. Very soon. Or billions of people, along with the great creation named the Internet, will be in serious trouble.
At this stage we cannot say which route Google will choose to ensure mass adoption of their security protocol. But we can say that Yubico has decided to engage in the project as we believe it could be a game changer.
And this is the vision:
Imagine that you have one single key and one single password to securely access all your Internet life.
The key would not be issued, controlled or hosted by a government or a service provider. Instead, you would buy this key at your retail store, such as 7-Eleven or Amazon.com, similar to a gift card or pre-paid phone card.
The key would remain in your own full control, guarding your privacy. And you may even choose to have multiple keys and identities, enabling you to protect your digital identity while remaining anonymous.
From your computer or mobile device, you would be able to instantly, with no required software installed, connect your key to any number of online services. Placed in the USB-port or tapped to your NFC phone/tablet/laptop you would replace all your multiple, long, painful passwords with a simple touch. Combined with a simple PIN or password, you would then securely access your email, bank, healthcare records or any online account.
With an open source approach and a clever eco-system, there would be no fees for service providers, and the costly Certificate Authority model associated with traditional smart cards could be eliminated. But more importantly, there would be no single token- or service provider who would control your digital identity or any cryptographic secrets.
The key would offer session security and legally binding signatures, at a security level enabling you to one day vote online for your next President.
Yes, there are a few obstacles to overcome, including aligning influential thought-leaders and global stake holders on the same page. But if enough people want to, it would be possible to create a new, really simple, secure and affordable online identity solution as outlined above. All based on the security protocol Google is now giving to the world.
Bring it out – click – go!
PS. Please find additional comments on this topic in the Future of Authentication FAQ