

Identity is broken. - kirillzubovsky
http://www.geekatsea.com/identity-is-broken

======
TrevorJ
There aren't any great solutions to this problem on the horizon yet, sadly. FB
login isn't a viable option because they or so aggressive about using it to
mine data, and let's face it - there are probably plenty of logins and
services people don't want co-mingled with their public persona. Google login
is another non-starter but for similar reasons, but with the added issue that
they have so many services, with so many TOS's that you run a very real risk
of losing access to a bunch of third party accounts if you ever run afoul of
Googles' policies and they terminate your service. This happened to a lot of
people who signed up for G+ but were not above the required age: they lost
access to gmail and all the other Google services simply because they didn't
read the fine print.

Oddly enough, I think it might be credit card companies who are in the best
position to solve this problem. They already have a large infrastructure for
detecting fraud, they have the trust of the general public, and they already
have a high level of integration with many websites. More importantly, they
have a business model that is not predicated on selling your data to make a
profit (well, at least not entirely).

~~~
politician
The video linked at the end suggests using NFC-equipped smartphones to
transmit blinded credentials containing just enough information to gain entry
(e.g. I am over 18, I have authority to enter this pub, etc). What do you
think about that solution?

~~~
TrevorJ
I like the idea of a physical key like this a lot. I think it matters though
that we are talking about something that happens 'over the air' (even if it is
just NFC). The security would need to be bulletproof. I'm not very
knowledgeable how these systems work for NFC other than RFID's in credit
cards. With credit cards there is a dynamic CVV code that can only be used
once so if somebody sniffs your card they can't use it for more than one
transaction. This might be acceptable for credit cards, but it isn't ok at all
for a login scenario because if they compromise your login once, they
potentially have access to all sorts of things.

------
waffle_ss
I think OpenID + owning your own domain is a good solution to this problem.
You simply put some special HTML in the header of
[http://<yourdomain>](http://<yourdomain>); to create a "delegate" that points
to an authenticator of your choice. If this authenticator goes down or is
compromised, then you edit that HTML stub to point somewhere else. I prefer
using my domain name as a single point of failure over my email address,
because I think it's harder to lose control of my domain name (actually if I
lose my domain then I've lost my email too, as that controls my MX record).

The problems are that not every site supports OpenID, and that
owning/maintaining one's own domain isn't as easy as getting an email address
(tough for grandmas to do). The former issue would solve itself if OpenID
would become more used (kind of a paradox), while the latter is slowly gaining
traction, I think (now with sites like GoDaddy it's not too hard for lay
people to buy a domain and write HTML with a WYSIWYG editor). Remember, there
was a time when getting an email address was not a trivial thing.

------
jmharvey
FB login is a good concept, but I've seen too many situations where "Log in
with Facebook" leads to a page asking me to give permission for the app to
post to Facebook on my behalf.

There's clearly a need for a standard login, but there's also a need for a
much brighter line between identification and permissions. Until that happens,
even when it's available, many users will shy away from using a standard
login.

~~~
kirillzubovsky
Exactly. I think that Google could actually solve this single-signon problem
by encouraging more website to auth with Google. They should stay clear on
permissions tho and not ask me to connect the rest of the internet to my
Google+ account, otherwise I would shy away from this solution much like I shy
away from Facebook. Actually, right now I trust Twitter the most, when it
comes to authorizing apps; not sure why that is though. Maybe because I am
under impression that Twitter isn't going to post more cat pictures to my
profile just because it can.

~~~
AncientPC
What advantages are there of using Google-specific authentication over using
OpenID with Google?

------
dangoor
Mozilla is trying to fix this, through the BrowserID (Mozilla Persona)
project.

<http://www.mozilla.org/en-US/persona/>

This article actually somewhat validates the approach BrowserID takes: you use
your email address as your ID. BrowserID provides a way to verify that you own
the email address in question (that you are who you say you are).

There's a lot more planned, but the core of it is simple and easy to
implement.

ObDisclaimer: I work for Mozilla, but not on Persona.

