Ideas

I'd drop the idea of using ssn's as part of the id, myself. You're going to have major privacy concerns already, and that's a piece of information that would be really useful to an identity thief. As well, I'm not sure how you would verify that. I would think the US government doesn't let you confirm that an ssn belongs to so and so at such and such address. As well, it'd really lock you in to a USA specific application.

It sounds like the real point of this idea is to tie an online login very strongly to a physical, bricks and mortar identity. I think its' a good problem to solve, but I'm not sure you can solve it without requiring some real world interaction.

How do you determine that I'm not an identity thief who just happens to know my address, ssn, birth date etcetera, say because I didn't shred my 2000 tax return? I think we can make it more difficult, but not perfect.

I think if you had a system where someone had to come into a physical office, show their drivers license, and have the photo on it verified to match the one at the dmv (as more and more licenses are converted to electronic cards, this should be possible). Then an identity theif has to look like me, have my actual license, and be able to fake my signature to assume my identity.

That's an online identity I would have really strong faith in.

Thanks for your comment Laura! Good points.

As for the SSN... That is not necessarily important and I was using that to so that users could not establish multiple identities. However, your idea to boil it down to physical confirmation by some authority would be a great concept to add. This may be done by utilizing notary services, but there is still the risk of fraud with the notaries, but at least their would be a paper trail. As this gained traction there would be the opportunity for integrating a system with the government institutions (like maybe the DMV).
The i-token could be transitioned in the future to High-Security Verification only. Where every member would have to have a finger print scanner (or other physical identity tool) in order to use the service. I am sure with a certain base of membership, we could offer a start-up kit which would include a scanner, software, and other tools for $30-40.

Keep the ideas coming I have been dealing with some scammers and this would be truly a web 2.0 tool which is so desperately needed.

Never, put your passwords or info like this on your computer.

Never, put your passwords or info like this on your computer
And you can write NEVER in capitals!

Laura's point is key. In order for your high-security verification to mean anything, you have to have real face-to-face authentication on the front end when the key is issued. This problem has been solved in various ways. The crowdsourced way is PGP key signing parties where people meet face to face and you use your PGP key to sign the PGP key of people you physically know. This builds a web of trust to provide real authentication.

If you want to do this in a centralized way, then you need a very strong way to do that authentication on signup and the rest of your system is only as secure as that step.

Just as a personal aside, until we fix all the problems with real-world authentication I don't think there's a lot of progress to be made in online authentication. It's fairly easy to fake drivers licenses, etc. in the real world, so they don't provide a real secure way to build an online identity. Personally, I prefer having a pervasive assumption that the online environment is insecure and not authenticated and building up from that on a case by case basis rather than relying on some system that pretends to provide secure authentication but is based on a flawed premise. I don't intend that to mean that this isn't worth trying, only that you need to address how very difficult it will be to do well.

I think you are missing the point here...And I am getting dragged of track as well...

Kevin-Vanhees-
You are verifying your password to your i-token software program. Kinda like Norton or any password protected document. In onrder to complete the token creation process you would need some level of security:standard-password, medium-security key, high-fingerprint verification. The i-token replaces the need for passwords and profile creation. It will fill out the information you wish to include.

micco and Laura-
The thing here is not necessarily to verify a person's actual legal existence(though at some future point that would be nice), but rather to attach some physical identity to a virtual identity. For instance, I just opened an account online at WAMU. WAMU doesn't know if I am who I say I am. I entered a wealth of information and my account was created. Well in the case of the i-token, I could add a token verification to that account, which would support all the info I provided (or even provide it for me) and attach a method for all future ID verification on the system. Since I originated the account with my i-token system, every future visit I could drag and drop a login token (w/ fingerprint verification) into the system and secure my account.

Another example would be ebay (or like systems). I had buyers that drove my bid price to an astronomical amount, only later (after they had made contact and I said that I was reporting them to ebay) to say that their account had been hijacked. The itoken would only allow you to access your account via the i-token authorization system.

I am very disappointed in my ability to convey this idea. Web 2.0 needs something different and I see a solution, but can't seem to convey an idea on CH! Whatever-I am done!!! :)

Is this just a more complicated and closed version of OpenID (http://openid.net/).

DTINGG, I think you're expressing yourself very well. I don't see why you're getting frustrated working through the details. If you want to drive this plan to actual existence, you're going to have to explain it to people more thick-headed and agenda-biased than anyone here, so just consider this practice to fine-tune your pitch.

So I understand now that you're not trying to tie an authentication to a real person, just to an account. So comparing to WAMU and eBay, you want to be more portable than your WAMU (allowing you to prove to other people that you are the WAMU user) and more secure than eBay.

Maybe if you could compare and contrast with existing systems like openid.net and credentica.com, that would help us understand.

Sorry, out of my league.

http://www.just1key.com/faq.html

Is this the sort of thing you are hoping to develop?

If not, how would you recommend changing this package ?

I am trying to understand

Good Luck ?

No actually Credentica has pretty much nailed it down... I looked into it further and finally understood what it is that they did. Their ID Token is pretty much my idea, of course they figure out the encryption method how to make sure that only the verifier (Credentica) could verify and release information to desired 3rd party. Which is great!! Not so much for this idea, but at least I know that I can come up with ideas worthy of Microsoft's money. Credentica's version is little narrowly focused, however with Microsoft buying them out I am sure they will figure out a way to market it to the masses.
That said, this idea was just a watered down version of my original i-token idea. Which also used the token concept to include currency. For instance, the i-token would be a personal letter of credit verified and fulfilled by the verifier. I am sure that they will eventually get there, but who knows how long it will take. In the meantime I will just continue to come up with overcomplicated, hard to implement ideas until I actually find one that I can convey properly and possibly get someone fired up about it.

Actually I am bit confused on Credentica's ID token. Who is the Verifier?? Can anyone take a look at this and tell me???

http://www.credentic...unique_features.html

Thanks!!

Two Words: Open ID