Exciting Technologies in the Works

I travel all over the world, and I do so, essentially, with two documents: I have a driver's license for use inside the U.S. and when I'm getting on airplanes, and I have a passport that will get me into most countries. So I can cruise across almost any border in the world, and I'm able to identify myself and transact whatever business I want when I'm traveling by using just those two documents.

When I'm on the Internet, it's a very different thing entirely. The Internet is supposed to have made the world smaller, to have eliminated borders, and to a large extent it has, but it hasn't made it much easier to do business while you're out there. The problem on the Net, as it turns out, isn't access, it's identity. I don't even have one name on the Internet. I was actually looking into this for a speech I gave recently, and I counted all the names I had in my various relationships on the Internet. I found I had 36 different ones - not different passwords, different names. Sometimes I'm Carl Ledbetter; sometimes I'd have to separate my first and last names with an underscore; sometimes I have to use a space; sometimes my names are concatenated; and on and on. I've even learned there are several other Carl Ledbetters in the U.S., so sometimes I have to use my middle initial to distinguish myself, and there are even four other Carl S. Ledbetters, so I have to use my full middle name or some other differentiator, and with all of these I have the underscore, space, concatenation issue to contend with. When it's all added up, I have so many names I can't remember which one I am on any given site, especially the sites I visit only infrequently. When you add in the more than 70 different passwords I have, there are nearly 2,500 different user name-password combinations that are possible from among the ones I actually use. And the passwords change all the time, so my big yellow sheet of paper is all scratched up and hard to read. It's a wonder I can do anything at all on the Net. So I do what all of us who are concerned about computer security tell people not to do - I put the user names and passwords I use on a big piece of paper and tape it to the side of my monitor - where they can be seen by anyone even mildly interested in stealing my identity, thereby compromising the security provisions that protect me, to be able to get to those sites at all. What a nightmare.

Recently, I was trying to get on to a service that handles my kids' tuition, and it asked me for my user name, so I could check to make sure the deductions had started. I tried three or four times and couldn't get in, and then, because I had made the maximum number of attempts permitted, I got locked out. I had to make a phone call to get help at the service, and you know how harrowing a process it is to get a live person these days. That company spent a lot of money, and I spent a lot of time - and was pretty irritated while I did it - just trying to make sure I could pay my bill. How dumb is that? They made me fight to pay them money - all because I didn't know my own name on the Net. So I can't travel around the Internet the way I do around the world because I don't have the right to my own name and can't remember the information I need to authenticate my identity.

What we really need is illustrated in a great line from a movie several years ago, The Adventures of Buckaroo Banzai Across the Eighth Dimension - "No matter where you go, there you are." That's what happens when I travel the world with my passport: No matter where I go, there I am, and I know my name, I have credentials to transact business, and my identity can be authenticated reasonably well by whatever gate-keeping authority is checking. I want to do the same thing on the Internet. I want to be able to make a claim about my identity and to have as many identities as I want - because I may have good reason for having several different personalities or roles that I want to distinguish. I want to make sure the agency of authorization can identify me correctly and that I'm authenticated by reasonable means at some level of assurance that may vary by purpose and mechanism of authentication. And then, now that I'm on the Internet, I want to be able to move around without being pestered over and over again for the identity and authentication credentials I've already presented. From the time I'm in and authenticated, almost all the dot-coms should accept me for who I am. If the authentication is at a high enough grade - maybe just knowing my password is good enough for some purposes, but knowing other information, having a smart card, or presenting biometric information like a fingerprint or retinal scan could be required for other more sensitive and secure applications - there ought to be a secure-certificate technology that makes sure my identity and authentication, with all the rights and privileges of access I'm allowed from that, gets handled correctly and handed off as I instruct, so I don't have to do it again. My one-time authentication ought to be enough to allow me to navigate around the Internet's electronic world, just as my passport allows me to travel around the physical world.

I think the thrust of the next five to ten years will be to make that vision a reality. No matter where you go, there you are, on the Internet. The industry will create software components that make this happen without forcing customers to jump through a lot of hoops or know a lot of things.