No More Passwords Please

This is the tentative title for my upcoming white paper, which is the major deliverable for the btr820 course on Research Methodologies and Writing. I'm excited to be doing this paper because a) I love writing and b) I'm looking forward to learning more about my topic which is essentially looking at solutions for the future of authentication on the web.

As users of web sites and applications, we are now subject to having to authenticate ourselves multiple times a day - I read somewhere than an average is 13 but for some of us who spend more time online it's probably twice that. Having your passwords remembered for you by the site or by your browser helps, but that is not a great solution for folks who are on multiple computers. Besides our passwords aren't even that safe to begin with (my bank won't let me use more than alpha numeric characters) and some sites make you change them regularly for extra security (a lie) and so as users we are caught up in a game of constantly trying to stay on top of the latest password for which site and please stop the web now, I want to get off.

What I want to look at is open, decentralized authentication identifiers that go beyond passwords with regards to actual security, that could be in your browser itself, and that would move with you easily no matter what computer you are on.

So I have some questions.

What are the implications of a web browser incorporating an open authentication protocol out of the box where the identifier is the browser itself?

What other options are coming down the pipe in terms of built-in browser features that help users deal with authentication? Is there something better than a decentralized open authentication protocol?

Do browser providers have to stay neutral and leave it up to web application providers to decide how users authenticate on the web or can they step in and lead the charge towards a certain protocol and influence sites instead?

While Weave is an excellent way of syncing your profile across various computers - is it really scalable? What other options are there for having an easy, portable profile which would be able to contain your identity as you move between computers, countries, even to your mobile device?

Thanks for reading this, I look forward to your thoughts on this issue.