• United States

Could the cards hold the answer to our identity needs?

May 19, 20043 mins
Access ControlEnterprise Applications

* Taking the idea of smart cards to solve the identity problem

As I said last issue, there will always be people who object to letting any of their identity data be stored by a third party, no matter how tightly it is locked up. I don’t believe they have a rational argument. Still, since it’s an emotional, visceral argument there’s no logical way to convince them otherwise. Rather than belabor the obvious, let me offer up a second scenario for having the data always available – or almost-always.

In the mid to late 1990s, the buzz was that “smart cards” would be the technology breakthrough of the 21st century. Everyone would carry the “credit card with a chip” device to enable authorization and authentication. Every keyboard, every laptop, every digital device would have a smart card reader built-in. All of the identity data we’d ever need to use would be stored on the card.

We also thought that all keyboards would have fingerprint readers built-in. Some companies even thought that both fingerprint readers and smart cards should be part of your desktop. (Go here for an example:

Head down to your local computer store or look in the Dell catalog and you’ll see a decided dearth of keyboards with built-in smart card readers. While smart card technology continues to grow, albeit at a snail’s pace, network authentication and resource authorization still seem far in the future for these devices.

But while you’re at the computer store, look at the ports on those computers. I’ll wager that 99.9% of them have a USB port. I’ll also bet you can easily find USB storage devices, small enough to fit on a key ring, that can store 256M bytes, or more, of data – like the iDuck (

Most computers these days have USB ports and most operating systems automatically recognize a storage device plugged into a USB port. There are universally recognized encryption technologies. What we need, of course, are public standards for data entry, maintenance and retrieval. This might take a (shudder) new OASIS working group but we should first look at piggybacking on top of service provisioning markup language (SPML) and security assertion markup language (SAML), which already provide for authentication and data exchange.

Reader Jean-Luc Schellens ( suggests the use of pre-filled virtual identity “cards” that could be stored on your USB storage device. The cards, he says, would indicate “…the type of relationships you have – or want to have – as a family member, a friend, a professional, a consumer/customer, a citizen, etc. You’ll exchange your virtual cards by mutual consent, meaning in a formal agreement following your privacy preferences.”

Those of you mourning, as I am, the passing of Novell’s DigitalMe initiative will see the similarities to that technology.

Keep your ideas and comments coming, let’s refine these thoughts into something that’s both workable technologically, feasible economically, and acceptable to the average user.