Grading Digital Trust—What If Your Favourite Sites Had a Security Score?

I’ve been in the Digital Identity industry for a long time—way back to the early days of directories and LDAP. I’ve seen the birth of Access Management, Identity Management, Identity Federation, and shiny new technologies like Verifiable Credentials and FIDO. But for all of the great work done by the standard committees, the vendors and the implementors in this space, it never ceases to amaze me when I come across online services that pay the barest of lip service to good digital identity hygiene.

For example:

• The bank whose Internet Banking service requires precisely a 6 character password(!), without MFA
• The DNA testing service that has a maximum password length—which suggests they might be storing passwords unhashed—and no MFA
• The airline that requires secret questions and answers as a password recovery scheme, when most of the answers are easily researched on social media

and one step above those, but still worrying:

• The vast majority of other services that use SMS OTP for MFA, enabling the scammers to ply their vile trade, especially targeting our elderly and most vulnerable.

This got me thinking: what if consumer-facing services were obliged to report against a government-backed rating system for their authentication and data security? I want to explore this idea using Singapore's former A-D grading system for food establishments as my inspiration.

The Singapore Food Safety Model

Singapore previously had a food safety grading system that was elegant in its simplicity. Restaurants and food vendors were rated from A to D based on their overall hygiene and food safety standards. An 'A' grade indicated excellent performance, while a 'D' suggested that significant improvements were needed. Importantly, these grades were prominently displayed (see the image in the banner, above), allowing consumers to make informed decisions about where they ate.

Note: The Singapore A-D system was phased out from January 1, 2023, and has migrated to a ‘Gold’, ‘Silver’ and ‘Bronze’ system. However, its principles remain relevant for this discussion.

Here’s a summary of each grade:

Grade A: Excellent

• Scored 85% or higher on the assessment
• Exhibited high standards of housekeeping, cleanliness, and food hygiene
• Had well-maintained facilities and equipment
• Demonstrated good food handling practices and personal hygiene
• Had comprehensive and well-implemented food safety management systems

Grade B: Good

• Scored between 70% to 84% on the assessment
• Maintained good standards of housekeeping, cleanliness, and food hygiene
• Had adequately maintained facilities and equipment
• Demonstrated generally good food handling practices and personal hygiene
• Had food safety management systems in place, but with some room for improvement

Grade C: Average

• Scored between 50% to 69% on the assessment
• Met basic standards of housekeeping, cleanliness, and food hygiene
• Had some issues with maintenance of facilities and equipment
• Showed adequate food handling practices and personal hygiene, but with notable areas for improvement
• Had basic food safety management systems, but implementation was inconsisten

Grade D: Poor

• Scored below 50% on the assessment
• Failed to meet basic standards of housekeeping, cleanliness, and food hygiene
• Had significant issues with maintenance of facilities and equipment
• Demonstrated poor food handling practices and personal hygiene
• Lacked comprehensive food safety management systems

Establishments that received a 'D' grade were typically required to make immediate improvements and were subject to more frequent inspections. If they failed to improve, they could face closure until the issues were resolved.

This system provided a clear, easy-to-understand metric for consumers and a strong incentive for food establishments to maintain high standards.

A Possible Digital Security Grading System

We could apply a system similar to Singapore to the realm of digital security and consumer authentication, aligned with the latest NIST (National Institute of Standards and Technology) guidelines. Let's consider an A-D grading scale for banks and other online services that handle consumer data:

Grade A: Excellent security practices

• Implements a strict minimum password length of 8 characters, encouraging even longer passwords
• No mandatory password complexity requirements (e.g., no forced use of special characters)
• Implements phishing-resistant Multi-Factor Authentication (MFA) solutions, such as passkeys or hardware security keys, as a primary or optional authentication method
• No periodic password reset requirements
• Allows users to paste passwords and offers "show password while typing" option
• Implements breached password protection, checking new passwords against known compromised ones
• No use of password hints or security questions
• Limits the number of failed login attempts
• Clear and transparent data handling and privacy policies

Grade B: Good security practices

• Implements minimum password length of 8 characters
• Offers phishing-resistant MFA solutions as an option, alongside traditional MFA methods
• Allows password pasting but may not offer "show password while typing"
• Implements some form of breached password protection
• Limits failed login attempts
• Security audits conducted, but may be less frequent than Grade A

Grade C: Adequate security, with room for improvement

• Basic password requirements, may still enforce complexity rules
• MFA available but not phishing-resistant
• May still use periodic password resets
• Limited or no breached password protection
• May still use password hints or security questions

Grade D: Poor security practices

• Weak password requirements (e.g., very short minimum length)
• No MFA option available
• Enforces frequent password changes
• No breached password protection
• Uses insecure practices like password hints or security questions
• Doesn't allow password pasting
• No limits on failed login attempts

Under this system, my bank with its 6-character password and lack of MFA would undoubtedly receive a 'D' grade. In our digital security grading system, a 'D' grade could lead to mandatory improvements within a set timeframe, or even penalties.

Addressing Potential Risks of the Rating System

While a public rating system for digital security practices offers numerous benefits, I can see a potential issue straight away: organisations with lower ratings could become more attractive targets for hackers and phishing attacks. This could potentially undermine the very security we're trying to improve.

There are ways to mitigate this risk—allowing time for organisations to fix major issues before public reporting could be one. Not detailing specific poor practices along with the overall score would be another. But it would certainly raise the public’s understanding of the digital hygiene of that organisation.

Informing Consumers

Returning to my personal example, it’s clear that many other consumers are unknowingly using services with subpar security practices. If a service had a visible 'D' rating for its authentication methods, I would certainly think twice about signing up with them in the first place.

This system would also make me reflect on my own digital habits more often. Am I choosing convenience over security in other areas of my digital life? A standardised rating system could serve as a constant reminder to prioritise our digital safety.

Looking to the Future

As our lives become increasingly digital, the need for robust consumer protection in the online world grows ever more critical. A government-backed rating system for consumer authentication, inspired by successful models like Singapore's previous food safety grading, could be a powerful tool in this effort.

Imagine going to an online service and seeing an 'A' grade prominently displayed, not for its food safety, but for its commitment to protecting your digital identity and sensitive data. Or choosing a new online service and being able to quickly assess its security standards at a glance.

While such a system would require careful planning, ongoing maintenance, and face inevitable resistance, the potential benefits to consumer safety and trust in our digital economy could be immense.

As for those services I mentioned, with their outdated security practices? In this hypothetical world, they'd either quickly improve their systems to meet higher standards, or risk losing customers to more security-conscious competitors.

And that's a world I'd feel much safer in.

For more of my thoughts on Digital Identity and associated topics, check out my website, markperryid.com