The credit bureau Equifax Inc. has developed a system it says can streamline the process of enrolling with online merchants, but it involves the consolidation of personal data, which some say could invite fraud.
Equifax is expected to announce its I-Card system today. Consumers can enroll by providing Equifax with personal details such as name, address, and Social Security number. The Atlanta company verifies that information against its own database, asks some challenge questions to further authenticate the applicant, then issues a digital credential.
Steve Ely, Equifax's president of personal information solutions, said the goal is to speed up enrollment with participating banks and merchants; rather than providing their personal details over and over again at each Web site, users can just provide their I-Card.
He compared it to a retailer scanning the bar code on a driver's license rather than copying the details by hand each time the data is needed. "You know that when you scan that information out of your driver's license that it was not altered in any way," Mr. Ely said.
The I-Card platform was developed by the nonprofit Information Card Foundation, of which Equifax is a founding member. Other companies can issue I-Cards, but Mr. Ely said Equifax is the first to issue a "managed card," one where the issuer, not the user, controls the information on the card.
It would be difficult for a criminal to be issued an I-Card using someone else's name, Mr. Ely said, because the Equifax fraud detection system is "tried and true."
He also said that people could use their I-Card password in place of their other usernames and passwords at sites that accept I-Cards. In part, this move is aimed at getting people to use the I-Card more often than on the relatively infrequent times when they need to enroll with a merchant or start a bank account.
Mr. Ely acknowledged that since an I-Card password could grant access to all of a user's linked accounts, it could be useful to criminals if stolen. However, he said the I-Card was not intended to be a security tool for the end user, and does not supersede other authentication measures running on banks' sites. "We're not trying to solve the problem of protecting passwords," Mr. Ely said.
Still, he said, using an I-Card to manage multiple passwords is better than alternatives such as storing passwords on a user's home computer where it can be sniffed out by an intruder.
He suggested I-Card users pick a stronger password for their I-Card than for their regular passwords.
So far no banks or merchants are using this system. The cost to banks and merchants would be no different from using Equifax's system on the back end, but it is free to early adopters through the first quarter of next year, Mr. Ely said.
Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., said that if the I-Card system were widely adopted by consumers, "it would definitely save time and abandonment" on bank applications.
However, the security concerns are significant, she said. "When you store information all in one place, that place becomes a major target, so it's just a matter of the consumer making a decision between convenience and security."
In a Gartner survey last month of 4,000 online U.S. adults, 56% said they were not interested in using a program from a third party that would provide a single password for use at multiple companies' Web sites, Ms. Litan said.
In most cases consumers prefer security, Ms. Litan said. "This stuff has been tried ever since I've been following e-commerce … and nobody's ever succeeded. People are pretty happy with the way it is."
