Print
Discuss
Send to friend
RSS feeds
I was fascinated to learn of Experian’s plans to become an identity provider. In about a year’s time, the company intends to launch a new service, provisionally called My Life, aimed at individuals looking for a more secure way of logging on to web sites such as retailers, banks and government services.
Users will register once with Experian, and then authenticate on third-party sites using Microsoft’s CardSpace, which is part of .NET Framework 3.0 and Internet Explorer 7.0. There is no need for a password, and confidential information such as a credit card number is not sent directly from the user’s PC to the third-party site.
nstead, the user submits a digital token that gives the third-party permission to get the information from Experian. The service is paid for by the third party.
The system makes phishing more difficult, since Experian as the identity provider will only send data to sites it recognises, and individual users no longer have to figure out if the site is genuine. Another advantage is that the CardSpace user interface is part of the browser, rather than part of a web page, so cannot be faked. In addition, the third party has Experian’s assurance that the user is who they claim to be.
Criminals will still find ways to attack CardSpace users, but, even so, it is superior to flimsy username/password authentication.
Can Experian and Microsoft make the web safer? Possibly, but there are reasons for caution. First, there are cross-platform concerns. Microsoft and Experian insist that this is a cross-industry initiative, and point to CardSpace client implementations on Linux, Mac and FireFox, but deployment of CardSpace is currently limited even on Windows.
That problem may fix itself in time, but the second issue is whether Experian can command sufficient trust from users that they will be willing to give the company this key role in their financial affairs.
Experian is best known as a credit reference agency, and has a poor image among individuals who have struggled with bad credit ratings, sometimes because of administrative mistakes rather than genuine risks. There is an obvious potential conflict of interest. Would Experian as a credit reference agency draw on its knowledge of an individual’s transactions with third parties, gained as an identity provider, to inform its credit reports?
Experian insists that it will not, and that these services will be run entirely separately. That may be so, but a credit reference agency is simply the wrong organisation to run an identity provider business. A non-profit industry consortium would be more reassuring.
del.icio.us
Digg this
reddit!
