A Smarter Identity

Using a USB Key could finally free us from malware.

Viruses. Worms. Spam. Identity theft. What do all these things have in common (besides the fact that you hate them)? The people behind these crimes dont want to be discovered. Indeed, they remain at large because the Internet allows perpetrators to spew out malware incognito. Unchecked, the rapid rise of assaults like these will grow to overwhelm us.

Ive listened to too many IT professionals, some of them in Redmond, Wash., who remain blasé about these problems. "We have spam filters and anti-virus signatures," they say. "Its a manageable situation."

This is the response of a computer profession in denial. Everyone who reads a newspaper learned long ago that 15-year-olds can game the Internet and that the brightest minds in IT cant find the perps, much less stop them. Sure, we must try to manage the threats. But the failure of the computing industry to halt this nonsense is a black eye for us all.

Now, finally, we can say, "Enough!" Technology has advanced to the point that every Internet user could carry a small, inexpensive device that positively identifies him or her. Users ability to easily prove who they are could restore the integrity of e-mail, e-commerce and a wide variety of other activities.

This device could be called numerous things, but I call it a USB Key. Tiny USB pen drives can now readily support true challenge/response authentication. A mere password or digitized fingerprint can be intercepted and used to impersonate you. But two-factor authentication, using a USB Key and a PIN, for instance, is very hard to fake.

Theres nothing magical about USB. The same verification role can be played by smart cards, such as the American Express Blue card and others. But there are a lot more USB ports than smart-card readers in offices and homes worldwide, so Im betting USB wins out.

For people to adopt such devices, we need two things: (1) a simple way to distribute the keys and (2) programs that recognize and reward their use.

The U.S. Postal Service can provide the first element with its In-Person Proofing project. The Postal Service has talked about this since at least 2001, but its now ready to roll. The process involves showing up in person at a post office, much like applying for a passport. After your identity is verified, you are eligible to download digital credentials. These are stored in your USB Key, smart card or other device, ready to use.

Chuck Chamberlain, the Postal Service program manager for new products, said the system is close to being adopted by two states and a few federal agencies. Thats a solid start. Outside the United States, members of the 189-nation Universal Postal Union are already moving in the same direction.

I dont believe privacy issues will sink this. Practically every country issues drivers licenses and passports. We dont hesitate to show them when needed. Issuing ID in digital form is just a variation on this basic government service.

Im aware that digital certificates have been available for years. I use them myself on my Web sites that offer e-commerce functionality. But the technology has not achieved mass appeal.

"Whoever designed digital certificates apparently didnt do any usability testing," said Neal Creighton, CEO of GeoTrust, which sells digital certificates and USB devices.

The second element we need is incentives that make USB Keys valuable and desirable. Perhaps youll get a lower tax rate when filing electronically with the IRS. Or a higher feedback score at eBay. The possibilities are endless.

Would proven identity solve all Internet problems? Of course not. But it would be better than just letting unnamed wackos continue to hammer us.

Into the Unknown

This is the last column in my Known Issues series for eWEEK. Ill be devoting my time to writing my next book, titled "Windows 2006 Secrets" (or whatever Microsoft decides to call its "Longhorn" operating system). Until then, get the latest tips by signing up for my free newsletter at www.BriansBuzz.com.

Brian Livingston is editor of BriansBuzz. com and co-author of "Windows Me Secrets" and nine other books. Send your comments to eWEEK@ziffdavis.com.