Sunday, March 15, 2009

No More Passwords Please

This is the tentative title for my upcoming white paper, which is the major deliverable for the btr820 course on Research Methodologies and Writing. I'm excited to be doing this paper because a) I love writing and b) I'm looking forward to learning more about my topic which is essentially looking at solutions for the future of authentication on the web.

As users of web sites and applications, we are now subject to having to authenticate ourselves multiple times a day - I read somewhere than an average is 13 but for some of us who spend more time online it's probably twice that. Having your passwords remembered for you by the site or by your browser helps, but that is not a great solution for folks who are on multiple computers. Besides our passwords aren't even that safe to begin with (my bank won't let me use more than alpha numeric characters) and some sites make you change them regularly for extra security (a lie) and so as users we are caught up in a game of constantly trying to stay on top of the latest password for which site and please stop the web now, I want to get off.

What I want to look at is open, decentralized authentication identifiers that go beyond passwords with regards to actual security, that could be in your browser itself, and that would move with you easily no matter what computer you are on.

So I have some questions.

What are the implications of a web browser incorporating an open authentication protocol out of the box where the identifier is the browser itself?

What other options are coming down the pipe in terms of built-in browser features that help users deal with authentication? Is there something better than a decentralized open authentication protocol?

Do browser providers have to stay neutral and leave it up to web application providers to decide how users authenticate on the web or can they step in and lead the charge towards a certain protocol and influence sites instead?

While Weave is an excellent way of syncing your profile across various computers - is it really scalable? What other options are there for having an easy, portable profile which would be able to contain your identity as you move between computers, countries, even to your mobile device?

Thanks for reading this, I look forward to your thoughts on this issue.


mardeg said...

I just used my Yubikey to authenticate for this comment.

aphirbli@ said...

Here is a great example of how authentication really sucks: I had to create an account to post this comment, and it took me more than ten minutes just to find an email address which was not already taken, and an additional five minutes to get to the form and fill out the rest of it. I ended up using the captcha as my email address.

While decentralized authentication is great in theory, I haven't seen a good example of it in practice. It might be because they had no browser support. Take these two pages as examples:

They have lots of bad things in common:
1: They fill your screen from top to bottom with advanced technical information, and all this information is needed to log in. A simple username and password takes up two lines of input.
2: They both require multiple steps to authenticate, making the process way too complicated.

I really like this screenshot:

aphirbli@ said...

Oops, I forgot my name in my comment above: Jesper Kristensen

Josh said...

I love OpenID and think it is the future of authentication, but if you are talking about something browser-based, you should look into the certificate-based login at MyOpenID

Johnath said...

Josh beat me to the first mention, but a lot of problems people are keen to invent new technologies to solve have been solved by client certificates for 10+ years. The problem is that the technology is ugly - the user interface in Firefox is horrible (for those who even know it exists) and it takes more than zero configuration to make a web site happy with it too.

But the rewards are huge. A broadly deployed and tested technology already out there with strong, public crypto and protocols, useful metadata, and a wide range of identity detail possible. It's how every Spanish citizen pays their taxes and how most of them do their banking. Ditto South Korea. Ditto Belgium. We don't see it in North America much outside the military and a few large corps (HP, I think, has broad cert deployment?), but I suspect if you asked most of those people how to solve the multiple auth problem, they'd have a different answer than you typically encounter among the (north american) web2.0 crowd.

mawrya said...

Interesting, I was just thinking about this yesterday while shopping online. I must have all kinds of accounts with all kinds of websites and it can be difficult to keep all the passwords in my head. The typical solution is: click "Forgot Password", enter email address, receive new password via email, go back to website and type in new password. Pretty much all the sites I use employ this approach. It struck me that inventing a new technology to deal with password management would be a an uphill battle to say the least. The current email system does work, and everyone uses it, if only it were more streamlined... When you click "Forgot password" you would type in your email address (Firefox usually auto-completes it in anyway) and hit submit, next the website fires off an email with the new password. Nothing new so far. Next, your BROWSER checks your email account for an email from the domain you are visiting, gets the new password from the email and then logs you in. (You would have to work out the transaction details but I believe they are very achievable.)

This approach frees one from remembering passwords - you just need to be able to log into your email account - that's one password and the browser can even store that for you when you are on a personal computer.

The web already has an identity system: Email addresses/accounts. Its a standardized, open system; everyone already has an ID; everyone understands the system. The most unobstructed way forward may involve taking advantage of what already exists.