Authenticate Yourself

When Sun Microsystems took to the pulpit last week to propose an alternative to Microsofts Passport, the move marked more than just another showdown between the technology industrys two fiercest rivals.

This time, Sun and Microsoft are on a bigger quest: to create a standard for digital IDs. One of the Holy Grails of online computing, the digital ID has been touted as the magical key that will unlock the Web and turn it into a wonderland of convenient, personalized services, while warding off crooks intent on stealing personal and credit card data from unsuspecting online users who want to live, work and play in the virtual world.

Sun challenged Microsofts Passport by launching the 33-member consumer-oriented Liberty Alliance Project (www.projectliberty.org), which will supply online user IDs and authorization. Sun announced the venture in New York City, which is still reeling from the Sept.11 terrorist attacks.

As the U.S. continues to cope with the aftermath of the attacks, better forms of identification - digital IDs as well as a possible national ID authorized by the federal government - are being mentioned by some as one of the many cures for the nations security ills.

Rob Atkinson, the Progressive Policy Institutes director of the Technology and New Economy Project, favors linking drivers licenses with encrypted biometric information in a central database. "So when you want to get to a secure Web site, you authenticate yourself so you can vote, pay taxes, sign legal documents," he said. "Just doing that alone would have a lot of security benefits, but it would also have incalculable economic benefits."

White House spokesman Jimmy Orr said last week that President George W. Bush does not support a national ID, and such IDs are not part of Attorney General John Ashcrofts sweeping antiterrorism proposals to change a host of immigration and surveillance laws.

But industry watchers say that if lawmakers were to endorse a national ID, it could easily be linked to online efforts. The technology already exists to link physical IDs and online IDs designed to offer network access, said Tate Preston, vice president for government solutions of Datacard Group, a Minnesota developer of national ID and identity systems that have been used by the governments of Finland, Malaysia and Thailand.

In fact, the federal government is already deploying large numbers of such smart card IDs as part of a General Services Administration effort (www.smartcard.gov). Over the next two years, the Department of Defense will issue about 4.4 million Java-based smart cards to its personnel and contractors. The cards will provide physical identification and building access, network access, and may include medical records. The agency just bought 60,000 card readers from SchlumbergerSema, a subsidiary of oilfield services giant Schlumberger.

When asked about a linkup with a national ID, Microsoft said Passport wasnt designed to "pinpoint" individuals, but to promote e-commerce and the use of Web services. Sun CEO Scott McNealy said an alternative to Passport is necessary to prevent a key element of the Internet from falling under the control of a single vendor - Microsoft, whose Passport single sign-in and user ID technology is built around the companys Windows technology. McNealy invited Microsoft to join the Liberty Alliance.

"The absence of an open, federated standard for user ID is a key impediment to our industry today," said Tim Arnoult, chief information officer of Bank of America, a key member of the Liberty Alliance.

But the alliance will have its work cut out for it. Passport is already an established service, with Microsoft claiming it has 165 million user accounts. The alliance is still planning its first meeting to construct a road map for how its system will operate, said Segaza analyst Charles King.

But Jonathan Schwartz, Suns senior vice president, said customers of the Liberty Alliance will far outnumber Passports 165 million, once its up and running. He said the alliance, with its existing user ID and authentication systems, represented more than 1 billion consumers.

In addition to Bank of America, the Liberty Alliance includes American Airlines, eBay, Fidelity Investments, General Motors, Nokia, United Airlines, the Sabre Holdings and Travelocity.com airline reservations systems, Schlumberger, Sony and Vodafone Group. The primary technical companies involved are Apache Software Foundation, Cingular Wireless, Cisco Systems, RealNetworks and RSA Security.

Its goal is to provide the standards to hook their systems together, and let one trusted authentication provider supply the user ID for what might be multiple site visits or transactions. Instead of being a technology service like Passport, the Liberty Alliance seeks to define standards so that customers could identify themselves once, then interact with services of multiple members sites. The alliance would not supplant existing user ID and authorization systems.

Under the Liberty Alliance approach, a users health care information would reside in the directory of a trusted health care institution, and that institutions identification of the user would enable the person to visit other health care services in the alliance. Likewise for recreational, financial and other service relationships, McNealy said.

Microsoft appears to have anticipated Suns announcement when it said it will open Passport to third- party users in mid-September. It even used some of the same terminology used by the Sun alliance, calling its move a step to "federate" Passport among many online businesses and service providers. Any third party using version 5 of Kerberos could make use of Passport, said Adam Sohn, product manager in Microsofts .Net strategy group.

Despite the touted single sign-on and other advantages of digital IDs, questions remain as to whether online customers really want them. In a survey released last month, Gartner found that 8 million Passport users said the main reason they registered was to have access to other Microsoft services, such as Hotmail e-mail. Gartner said more than 70 percent of online adult U.S. consumers had not signed up for Passport, and were highly unlikely to do so within the next six months.

Meanwhile, government watchers say a federally sponsored national ID would meet widespread opposition.

"It would improve the ability to identify and track people. But I cant identify how much it would improve things," said Bob Inman, who served as director of the National Security Agency and as deputy director of the Central Intelligence Agency. "You can persuade Congress to act explicitly when you know what youll accomplish. But I dont think law enforcement agencies are capable of making a case of what precisely theyd gain from it. And if they cant, they wont get congressional approval."

Talk about national IDs has also moved the American Civil Liberties Union to get involved, while doubting the issue will be addressed, said Nadine Strossen, ACLU president. "We now have to take it seriously," she said.

Doug Brown and Robert Bryce contributed to this story.