Assume your computer, your cellphone and your iPad are all insecure, subject to hackers. All three of them working together to protect your information — would that be better?
It would, according to OneID, a start-up company in San Jose, Calif., that is trying to promote a new kind of single sign-on security for the Web.
Single sign-on is a kind of holy grail on the Internet, a way of avoiding having to remember separate passwords for every Web site and service a person uses. Like the original grail, lots of people have believed in it and no one has found it. In this case, Microsoft, IBM, Sun Microsystems and long-forgotten companies like Oblix (now part of Oracle) have all tried.
Frequently the technology behind one company or anotherâ€™s single sign-on is plausible, but everyone else on the Internet is not comfortable turning their customers’ identities over to one big player. Facebook might want to be the one-stop identity company, too, but would face distrust. This may leave an opening for a smaller company with sufficient financing and a novel technology.
Enter OneID, founded by Steve Kirsch, a well-known Silicon Valley multimillionaire who founded, among other companies, the search engine Infoseek. His technology confirms who you are by combining the private security keys of several devices, which are then encrypted in a blob in a remote data center. Supposedly your personal information, including your name and address, passwords and credit card data, cannot be obtained there, either. When you want to log on to a Web site, OneID checks the security of the site, then determines who you are by confirming three different digital signatures on different devices. Merchants never see your credit card information but receive a clearance from OneID.
(Mr. Kirsch is also somewhat known in the valley for having technologygone public about his blood cancer, which a few years ago threatened his life. He appears healthy and says he is taking a drug that keeps the condition stable. In addition, he is closely following new therapies, one of which he thinks looks quite promising.)
The redundancy in the OneID system, Mr. Kirsch says, is what makes the product effective. You have to compromise three different private keys to break into this, he says. Distributing information across devices makes it safer. In some cases, the individual digital signatures are stored with other providers, so one step to hacking OneID would involve hacking Apple without a trace. There is usually an added level of security, Mr. Kirsch notes, in that many cellphones and tablets have their own access codes, so a hacker would have to obtain all of a userâ€™s devices, break into them and get at the personal information before his target could know that anything was wrong.
OneID recently won a VC Bait contest at a big e-commerce trade show called X.Commerce. Mr. Kirsch is also offering $1 million of his own money, plus his name and one password, to hackers who are willing to try cracking the overall system.
The product is set to have its debut in February, but if you register at the company’s site now, OneID will give you priority in securing the handle by which you wish to be identified â€" which could be a valuable thing, if OneID catches on.
I recently ran into Mr. Kirsch along Sand Hill Road, the center of the venture capital universe, and he invited me down for a look at the product. It seems easy to use, and graphically very attractive, particularly the control screen for the iPad. This allows you to set higher levels of security for certain places or tasks, allow or shut off access to other devices and deal with browsers you might use at a public computer. Mr. Kirsch has similar interfaces for other devices and has worked on a QR code version of the service, so you could establish your identity at a checkout stand by holding a phone over a scanner. It seemed to work quickly enough, despite all the cross-checking going on in the background.
It is all very nice, but as much as the fancy security, the real test of single sign-on is how readily others are willing to use it. As Mr. Kirsch put it at the start of our meeting, Hundreds of people have tried this already, so why shouldnâ€™t you write my obituary? His advantage, he thinks, is in the compelling nature of the technology, his network of connections into big companies that might be interested in such a product and a general dissatisfaction with the current system.
I have one wife, one car, three kids, one cat, and 352 user names and passwords, he says. We have plenty of allies who want to move past this. Facebook has already been somewhat successful as a single sign-on service for social sites, though not yet for financial information. Mr. Kirsch may hope Facebookâ€™s size makes others wary, giving him an opening.
As for another likely competitor, PayPal, he says, They are focused on being a payments company. OneID is an identity company. In his mind, anyway, payments are just a subset of identity. Canâ€™t say the man is thinking small.
Mr. Kirsch was clearly in the middle of several demonstrations and negotiations with computer, payments and social media companies, but so far would not say if he had any agreements. He will need a lot, if the company is to get any traction. But then, that was the initial problem for the credit card companies. People were first suspicious of plastic Â and accepted it more readily once others did.