Your identity is like George Costanza's wallet. Really. Think about it. Do you remember the classic Seinfeld episode? The one where George wouldn't give up his ever-expanding wallet filled with store credit cards, Irish money, a coupon for an Orlando Exxon gas station and several Sweet and Low packets. This, in spite of the obvious physical pain it caused and the security threat all of that imposed.
Costanza actually sat with a limp (if one can do that) when talking to Jerry and Elaine at the diner because his wallet was so fat. He remedied the situation, as only George could, by folding a fistful of restaurant napkins to support his other "cheek."
In the next scene when he saw an advertisement on a telephone pole, he tore from the posting a wafer-thin piece of paper and injected it into the wallet. Seconds later, the entire thing exploded, spewing its contents into the middle of the street with Costanza going ballistic.
The parallels between George's wallet and your identity are glaring. Both just: -are too complex and bulky (too many username and password combinations to remember) -are unsafe if they fall into malicious hands; and -might explode one day soon, causing you all kinds of grief, risk, fear, money and embarrassment.
That's the bad news.
The good news is that identity problems are solvable. Today. In fact, this problem has already been solved, which I'll get to in a minute. The key you need to remember now is: don't be like George. When it comes to identity, consider me your own, personal "Inner Jerry."
Yada, yada, yada.
Back in October, just before Halloween in fact, I wrote about the things that keep identity management professionals awake at night in an article called The Top 13 Identity Management Fears. That piece articulated the challenges organizations face in the scary new world of identity management, diagnosing and benchmarking just how bad all-things-identity had become.
Now, I'm prescribing a fix for the problem. Oh, and the prognosis for a cure is excellent, provided that in this brave new identity world (a world I'm calling "The Next Identity Model"), a few key steps are followed.
First, we'll start with defining the identity problem. Then, we'll look at parallels to how entire industries have already solved historically similar kinds of challenges. Next, I'll help you understand where this whole cottage-industry-in-waiting is headed from both a consumer and business perspective. And, finally, I'll paint a vision of what "The Next Identity Model" will look like so that a Costanza-like problem doesn't blow up in your face.
Identifying the problem
At the current rate of password expansion, you'll need hundreds of username and password combinations in the coming years. Remember, most websites today require you to use alpha-numeric combinations of 4, 8 or 12 characters, which, many times, are unique combinations that you don't use elsewhere.
A major analyst firm, IDC, added this: "Many dynamics are converging to create a challenging environment for secure identity and access management," said Irida Xheneti, Security Services Analyst with IDC. "These include the evolving technology landscape with new applications and systems emerging every day; a growing mobile workforce where portable electronics have become the back door to an organization; and the enterprise landscape where partners and suppliers demand access to corporate information. All of these factors have made securing user identities and enterprises a very complex and expensive task."
Before you know it, each month it seems like you've added another dozen or so username/ password combos. It's all just too much for any mortal to handle. And, life already has enough complications. The simple truth is that there are better things to do: soccer games to attend, ice cream to eat, work to finish, the latest cliffhanger of Lost to watch.
So, like the rest of us overworked, time-starved and memory-constipated folk, you take the easy way out. An understandable choice, to be sure, but who are we kidding. It just doesn't work well in the real world.
But, I can guarantee that all your little personal "password tricks" that you thought nobody else employed are just dripping with danger -- unnecessarily. These include: -If it works for one, it'll work for 'em all. Making every combo the same is not safe, yet many people employ this tactic. The problem? If a bad guy gets your New York Times username and password combo, then he also gets your banking combo. See the problem? -The "easy one to remember" method. Okay, the word "password" is not a good password. Do I really need to explain this one? -The "sticky note" approach. This involves writing all of your combos down on one pad of paper or, worse yet, sticky notes dangling all around your computer screen. Now, what happens if you lose the paper or notes, they're stolen or somebody walks by your cube and photographs, copies or otherwise compromises them? Not good.
In spite of the obvious problems associated with each, these are still the most popular ways to handle identity and password challenges. A better method must exist, but what? A better system must be developed, but by whom?