online "ID Card" instead of passwords?

Passwords suck, but (currently) they're what we use. They're cheap, there's tons of information and so-called "best practices" around their use and storage, and the concept is pretty commonly understood among users. On the other hand, there is nothing that really ties them to an individual, they're relatively easy to compromise, and with the number of passwords that most users have - they're extremely confusing and frustrating to use.

The idea in the article from the NYT below has a ton of challenges, but it's one idea that at least seems to have a little momentum behind it. From a quick read of the article, it looks like they're thinking about something similar to Shibboleth, but trying to put some of the control over trust relationships in the hands of the end-user. I wouldn't feel all that comfortable if the control over the "keys to the kingdom" was centralized with any one vendor, but it'll be interesting to see if anything shakes out of it. The article is at least worth a read.

Technology Leaders Favor Online ID Card Over Passwords - NYTimes.com:

"The idea is to bring the concept of an identity card, like a driver’s license, to the online world. Rather than logging on to sites with user IDs and passwords, people will gain access to sites using a secure digital identity that is overseen by a third party. The user controls the information in a secure place and transmits only the data that is necessary to access a Web site.

In addition to simplifying online shopping, such information cards will reduce the number of phishing incidents — that is, the fraudulent use of someone’s identity to gain access to financial records, according to Robert Blakeley, a research director at the Burton Group, a consulting firm that is participating in the effort. 'You don’t have to depend on a password, so there’s no phishing opportunity,' he said."