Information security: Who can you trust?

There is no single answer to internet authentication, and businesses must employ different internal systems to meet requirements

In a famous cartoon published in the late 1990s in The New Yorker, a dog typing at a computer terminal says to another dog "On the internet, no one knows you're a dog."

This authentication problem is a real issue for virtually everyone on the internet (albeit with a less canine aspect). The problem has become more acute as fraudulent strategies like phishing and pharming have exploited the lack of internet authentication. But the solution remains unclear.

About the time that the cartoon was published and dotcom business was booming, those who proposed to solve this problem tended to have global ambitions.

Proposed global authentication solutions included the cryptographic public key infrastructures (PKIs) offered by entities such as VeriSign, WiSeKey and Thawte, as well as the Microsoft Passport project. Products that afforded less trust to a central entity included the PGP "web of trust".

But none of these projects has had global success in selling authentication. The most successful is perhaps VeriSign, with its leading market position in selling SSL server certificates. However, this is likely because such certificates do not require real authentication, but simply a cryptographic association of a public key with a URL.

There appears to be no single answer to the key authentication question of who should I trust. This problem of trust is not a new one, and has always existed for societies that have had interactions outside of local communities where all participants are (mostly) known to each other. Solutions to the trust problem have always been varied, and are very likely to remain so on the internet.

There is increasing recognition that different authentication and identity management systems are appropriate to different applications, to enable users to deal with different situations which inevitably involve variation in commercial, legal and other risks.

For example, while global PKIs have not been successful, an increasing number of companies are adopting internal PKIs. This is a manageable and useful approach within the corporate environment, where means of reliably and efficiently identifying individuals are already readily available.

Likewise, biometrics has long been recognised as an excellent authentication method for a diverse population, but it is often complex and expensive to implement. However, in focused situations where individuals can be channelled to biometric authentication equipment, biometric systems can make very good sense. Similarly, banks and credit card companies have become particularly adept at using a variety of authentication methods.

Digital identity management is moving away from a "one size fits all" approach towards systems that are highly tailored to the trust and authentication risks that they are designed to address. In this evolving environment, your dog may still be able to disguise himself in an internet chat room, but it is much less likely that he will be able to empty your bank account.

Maury Shenk is a partner at law firm Steptoe and Johnson and head of European Legal Programme Sans

Get smart to counter hacker attacks >>

Encryption: the key to safe data? >>

See the New Yorker cartoon >>

Comment on this article: [email protected]

Read more on Hackers and cybercrime prevention