I’ve been reading Emily Nagel’s book “Anywhere“. She’s the CEO of Yankee Group and the book is about global connectivity revolutionising business. I hope she won’t be offended if I say that it’s an “airport book”, but it’s an accurate description, at least for me, because I read it on the plane. There’s something that bothers me about it, though. It has lots of stories and examples and narrative about ways in which business is transformed as it goes online, but it doesn’t have “identity” or “authentication” in the index and says nothing about the identity problems that will need to be solved in order to realise the full potential of connectivity. As I’ve often observed before, using my favourite Kevin Kelly classification, connection isn’t the problem: it’s the disconnection technologies that will shape the medium-term roadmap for transforming new technology into business models: once everything is connected to everything else, the business model shifts to the creation and management of subgroups within that single, giant internet of everything.
Here, things aren’t going so well. By coincidence, the Saturday newspaper that I picked up after putting down Emily’s book had a technology advice column, and there was a letter from a typical consumer in it. I paraphrase:
I have a long list of passwords for home banking, shopping, social networks, magazines and so on. I’ve put them all in a Word document. How can I encrypt it?
This is, in a nutshell, the state of the mass market today. We all have masses of passwords, we’ve been complaining about it since 1994, and nothing much seems to happen, largely (I think) because the costs of our time don’t factor into business models. And yet… we don’t seem to be evolving any better business models and we don’t seem any closer to better identity infrastructure. Should we give up? No! I say we should remember William Samuel Henson.
It is sad that the name of William Samuel Henson is largely unknown today. A man of great vision, he petitioned Parliament for permission to set up an airline — with a business model largely based on post — flying to Egypt, India and China. Parliament turned his proposal down on the grounds that it was 1843 and no-one had invented airplanes yet. Henson knew this, obviously, but could see which way technology was evolving and correctly reasoned that just because he didn’t know how to get an airplane off the ground (he had been involved in numerous experiments around powered flight), that didn’t mean that no-one else would. And when they did, there would be a new business to build on aviation technology. So he started thinking about the businesses that would make sense and, since the post had just been invented in the UK, he looked at how that might work in the future.
This is a parable of our identity space now. We can’t get the technology to work, but we know that someone will, so we’re trying to think of business models (I should be clear in our case: we’re trying to think of business models for our clients) that will make sense when the technology works. But we’re thinking about web browsing and e-mail because these have just been invented and they’re our equivalent of the post service. Maybe we should challenge ourselves harder to look at wider possibilities, start from the perspective of social networking, virtual worlds and Twitter rather than Alice sending her credit card details to Bob.
Facebook is better understood, not as a country, but as a refugee camp for people who feel today’s lack of identity-forging social experience.
I think many organisations should be focusing on the next phase of evolution of online business, and phase that will be fundamentally shaped by the emerging identity infrastructure. But we must be careful not to take what has just been invented (in this case, say, Facebook) and project it into the future as the key to new business models. We have to think more broadly to develop strategic roadmaps for business that can react to the general trends to exploit the technology downstream. An example? Well, it doesn’t matter which social network we’ll be using in five years time, we’ll still need to authenticate ourselves in a more effective way that a Word file full of passwords. It isn’t only me that thinks this.
The president wants consumers to use strong authentication, something more than user name and password, which will most likely add another security factor, say officials familiar with the project.
For example, user name and password is one-factor security, something you know. But additional factors can be added. A token or digital certificate can be a second factor, something you have, resulting in stronger two-factor authentication. If you add a fingerprint or other biometric, something you are, it’s increased to three-factor security.
There follows an interesting, but confused, list of options. I’d like to suggest a more straightforward taxonomy, based on a digital identity infrastructure (which doesn’t exist, of course). The article, to my mind, confuses the distinct bindings between the virtual identities that exist in the Net and the real identities that are connected to. This is why it is useful to introduce the notion of digital identity in the middle. So then we get the two categories of things that might be used to solve the
- Linking virtual identities to digital identities. The article suggests that digital certificates and PKI might be a good way to do this and I agree. Think of a digital identity as a private-public key pair … tamper-resistance… smart cards, tokens, smart phones.
- Linking digital identities to real-world entities. The article suggests that passwords will be supplanted by biometrics.
Each of these will be a separate business that operates according to difference scale factors (scale in the first case, scope in the second). I don’t know how to make them work, but someone will.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]