The Internet Identity Crisis

December 1, 2000

By Joshua Dean

hese days, it seems as if everyone is having an Internet identity crisis. Agencies and businesses online are asking: Are you who you say you are? Citizens are worried that governments and businesses are tracking their Web-surfing habits. Customers want to be sure their online purchases or government-related transactions are secure.

This might sound like a grim state of affairs, but some of the news is good. Technology that has the potential to make both agencies and their customers happy is reaching the market. IBM Corp. and its partners in the computer security field have developed new, integrated options that ensure secure access to the desktop and authentication of users online. IBM integrates digital certificates, public key infrastructure and biometric technologies to protect users online. Digital certificates are small files that identify users. Users often have a single certificate in their workplace for applications such as secure e-mail or file encryption. But IBM expects that users will get certificates from a variety of sources, including government agencies, financial institutions and, possibly, merchants.

A digital certificate, which helps validate and mark a user's digital signature, requires secure storage. IBM and Intel have created technology that moves certificate storage from a user's hard drive to a secure area of the computer. The new storage area serves as a certificate depot that is highly encrypted to prevent the theft of identity on the Internet. IBM is working with other companies to exploit this technology. One of those firms is Entrust Technologies Inc. of Plano, Texas, which developed the secure e-mail program Entrust/Express. The company specializes in public key infrastructure (PKI) applications. PKI is a network structure that authenticates users based on their digital signatures. Express encrypts e-mail messages and then stamps a digital signature on outgoing mail. Only a recipient with a valid digital certificate can decrypt and read the messages.

But having computers that encrypt and digitally sign transmissions are useless if unauthorized users gain access to even a single computer in an organization's network. This has forced system administrators to rethink computer access controls, one of the weakest links in security, especially when text-based passwords are used.

One way out of this bind is to use biometric technology. Such technology is based on validating a user's physical attributes with fingerprint or iris scans. DigitalPersona, a Redwood City, Calif., company that makes fingerprint recognition products, says such technology adds another layer of security to computer access. (It uses digital signatures.) With biometric technology, a computer would require a fingerprint or iris scan when the user turned it on. If the scan were successful, the user could then access the network and applications. But with a secure e-mail solution such as Express, the computer could also prompt users for scans whenever the users attempted to send out encrypted e-mail requiring a digital signature. This process provides proof of the user's identity every step of the way.

Such technologies could make Internet transactions much more secure. IBM, Intel and Entrust hope these features will become as ubiquitous as the computer password or even the Internet browser.

And because many agencies would like to employ public key infrastructures as they move toward electronic government, their wish might come true.

HARDWARE

Not Your Average Cell Phone

ave you ever wished you could combine the best elements of your cell phone and your handheld computer? Handspring Inc., a Mountain View, Calif. manufacturer, has done just that.

Handspring makes the low-cost Visor handheld computer that is based on the Palm operating system by Palm Computing Inc. The company has created a plug-in that turns the Visor into a cell phone. But perhaps the biggest advantage of the combined unit is that users have access to contacts stored in their address books.

"This brings voice communication to handheld computing," says Brian Jaquet, a spokesman for Handspring. "You can dial in directly from your address book with the VisorPhone. All you have to do is click on the phone number."

Handspring's VisorPhone costs $299. A Visor costs between $149 and $249. The VisorPhone will work with cellular services from BellSouth, Pacific Bell, Powertel and VoiceStream. Handspring users also can plug in a headset, allowing them to talk on the phone and use the Visor at the same time.