Yeah, the French government apparently wants to do away with Internet passwords. They’ve teamed up with a bunch of companies. The idea seems to be that you could use a digital certificate instead.
Which sounds curiously like a system thought up by people who are scared of and vaguely uncomfortable with the Internet. Hey, wait, that’s exactly how Korean Internet Banking works! (Except with outdated ActiveX controllers which I hope the French government isn’t foolilsh enough to get tied up with.)
Mind you, the 공인인증서 — the Korean equivalent of this kind of certificate that is basically a domestic online banking ID certificate — is handy on occasion: it’s nice at tax time, since many of your deductible expenditures have been automatically tracked for you, and you can (given a decent internet connection, a computer with a Korean version of Windows, and the patience of a saint) access all your documents and print them off from one place, no sweat. But even with these certificates, you need passwords. You need them because even when you’ve authenticated your identity, you need to be able to verify individual transactions, as noted by the commentator I’ve linked above.
It puts me in mind of recent (ie. during the past few years) debacles in which major shopping websites in Korea got hacked, with the personal data of millions being downloaded, all because the government that (ridiculously) required the use of a lot of personal information for any random activity online also failed to set and enforce standards for the security of the data it was requiring commercial operators to store and collect for them.
A single mode of authentication sounds to me like a major step down in security — centralization is going to make this a nightmare for the masses as soon as exploits and cracks are found, and they will eventually be found. And if it is going to be secure, people are going to have to keep using passwords, verifying their identities in other ways, and so on. A system might be possible, but I’m nervous about a government implementing it on a huge scale, in a system connected to millions of people’s finances, before it’s run the gauntlet of hostile hackers.
Meanwhile, the single bank card number and password security system for my Canadian account’s online banking site seems to have held out well, security wise. No complicated registration procedures, no wacky ActiveX controls… but then, Canadian banks assume their customers aren’t dumb enough to give their passwords and account information to their kids or strangers who call them on the phone.
By contrast, pretty much every Korean banking or finance interface I’ve used in the last year asks me questions to ascertain whether I’m being voice phished — which goes to show you that a security system is only as good as its users’s training and level of intuitive comfort and commonsense with regard to the system in general. We’ll see whether the French public is ready for this kind of a change, though current plans seem to be set for a very soon due date, if you ask me.