LEADER Q&A: Vittorio Bertola, Head of Policy & Innovation at Open-Xchange

In our latest Leader Q&A, Vittorio Bertola, Head of Policy & Innovation at Open-Xchange, talks about the current challenges in identity and introduces ID4Me – a new public, open, federated digital identity service. 

What is the single biggest identity challenge we are facing right now?

The challenge is how to create an open, broadly supported identity system that can be used by everyone securely, without losing control of one’s own information or being forced to give it to a single company that lives off data monetization and online advertising.

It is clear that the current practice of having hundreds of separate accounts, usernames and passwords is not manageable anymore; it creates security holes while also being unwieldly for the user. There are few alternatives, but none are fully satisfactory; password managers are hardly portable and aren’t very user-friendly; public “eID” documents are burdened with bureaucracy and complexities and are often overkill for everyday use; social network logins are ubiquitous, but expose your data to tracking and monetization.

There are several entangled issues: how to put user back in control of the data, how to ensure that data is stored and transmitted in a secure way, how to provide a single identity without giving way to even greater surveillance, how to allow for absolute certainty of the user’s identity when necessary, but also for anonymity when desirable. Something new must be conceived to address all these challenges by design, as patching the old is not going to work.

What is the problem with single-sign on?

Single sign-on is a great paradigm: it allows you to only have one set of credentials – one username, one password, one app – and use it everywhere. However, the flip side is that whoever manages your centralized account is able to track each and every place you log into and monitor all the information you exchange with these websites. If this is a company that is not fully committed to your privacy, as its business model relies on exploiting user information to make revenues, this could easily turn into a nightmare in terms of privacy and freedom.

How does ID4Me address the issue?

ID4me starts from the model introduced by social network logins, as this has shown to be easy to use and appreciated by the users, but turns it around putting the user in control. While with social network logins you have to trust the specific company that is giving you the account, in ID4me you get to choose who is providing and managing your identity – actually, you could even run it yourself if you had the technical skills. If you do not trust your provider any more, you can change it easily without losing your accounts.

ID4me

Furthermore, ID4me separates the validation of the credentials from the management of your personal information, attributing these two functions to different entities, and reducing the amount of information that each of them gets about you. It also gives you the option to provide or deny consent to sharing each individual piece of information with each single website you visit, giving you full control on where your data goes.

Does there need to be a trade-off between making it easy for an individual to identify themselves and being secure?

Not necessarily – in fact, whilst your centralized single sign-on account has to be kept very secure, the current practice of reusing passwords or having simple ones that are easy to remember is more risky than having a single strong password managed in a single place. In fact, that single place can introduce additional security in the authentication procedure and apply it immediately to any login you do anywhere. Also, if your credentials ever got exposed, you can change them immediately for good; today, if a website leaks your password and it is the same one that you used on 100 other websites, you have to change it 100 times (good luck).

Do you think there is still confusion surrounding the difference between identity and authentication?

All the terminology around this is not so firm yet, as there are not so many standards around; and the average user often has a hard time understanding anything more complex than “I enter a password and I am in”. But in the end, we all start to realize that we have a digital identity, possibly more than one, and that authentication is just the leeway into it, and that an identity really is about all the information that describes who you are and what you do online. It is an important distinction, also because people that give you easy authentication sometimes seem to underplay the fact that you are also giving them control on your identity. But as more mature standards emerge, I think these concepts will become clearer to everyone.