
Cutting the Gordian Knot of Web Identity - alexandros
http://www.codinghorror.com/blog/2011/09/cutting-the-gordian-knot-of-web-identity.html
======
patio11
There's a couple of _very different problems_ getting presented here.

1) Password management, which is a solved problem by geeks and normals alike.
Geeks use password managers. Normals use three passwords.

2) Single sign-on, which is less medicine and more vitamin as far as things
go.

3) Net-wide identity. HERE BE DRAGONS.

As soon as you start doing the most trivial possible quanta of work to resolve
the OMG DRAGONS, you start compromising the system's utility for password
management and sign-on.

You'll need, minimally, new UI for "What information about yourself should we
share with $NEW_SITE?" and for switching between users/profiles. This will
happen in ways your users don't really understand.

Among the many OMG DRAGONS:

1) Microsoft, Mozilla, and Google can get into a corner and say "Heya,
federated identity would be the awesome!" all they want, but there are laws in
the US, Japan, Europe, and points beyond which don't make "It is an open
standard!" int a compliance safe harbor.

2) You know that whole Google+ thing about real names and people having
multiple identities which don't necessarily intersect with each other? Yeah,
um, that.

3) Speaking of which, how about the other intractably hard problems for pre-
filled biographical information like e.g. human names? They're, ahem, a wee
bit tricky!

------
dredmorbius
I'll take this one further level meta: why the hell does any site need to know
"who" I am, period?

I know the obvious answer: for the advertising and marketing leverage. I'll do
my own hand-wave here and say that this is specious, that there's a
sufficiently rich predictive dataset based on other extant characteristics
(browser type, IP location, on-site behavior) to do an adequate job of
targeting ads to my instance of AdBlock+.

A large part of the reason I don't subscribe to sites such as The New York
Times is ... I feel really uncomfortable having _my_ list of reading
preferences on the news site available. That's discoverable in all sorts of
ways (legal or otherwise), and I have to trust in the Times, its staff, temps,
contractors, third-party business relationships, vendors, ISPs, systems
disposal methods, etc., etc.... Multiplied by every site on which "I" have an
account. Um. Thanks but no.

There's the issue of payment. Bitcoin is only the latest iteration of a
digital cash. Many banks now offer one-time payment tokens. There's _no_
technical reason (though arguable usability reasons) for me to have to provide
a shared secret (my account number and verification code) with every online
(or offline) financial transaction. This system is proving increasingly
fragile, and both online and offline systems have and will be compromised.
Cash risks only the current value held. Credit/debit risks a future stream of
compromised payments.

I'm moderately fine with the old-school world of pseudonymous passwords,
especially with fallbacks of cypherpunks/cypherpunks, or
cowbodyneil/cowboyneil (or BugMeNot) on sites. If nothing else, I'm sending a
very clear signal that _I don't want my data mined and I don't trust YOUR
systems for guarding against this so I'm invoking my own_.

There's still the closing problem of delivery. This can be managed by various
means, including selective disclosure to the shipper only.

In the real world, we engage in complex transactions based on very limited
identity and information disclosure. The person who makes my pencil (or
ThinkPad) has no idea who I am or where I live, let alone much information
about the other entities responsible for the production of the product.

The technologists here know that building a modular system with limited
information disclosure based on what's needed to accomplish a given
transaction, presented at the interface between operations, leads to a
simpler, more robust, and ultimately better system. Why are we trying to
design an online commerce system that's at such odds to these principles (see
"ads/marketing comments above)?

------
rmc
I wish he would stop referring to it as "Internet Driving Licence", that
implies some level of skill & a test is required to pass it, and that you can
get punished with penaltiy points, and that you're licence could be revoked.
Perhaps "internet identity card" / "internet passport" is a better term?

------
losvedir
I'm not sure I like this solution very well. It's tied to a particular device
and browser (unless you authenticate to the cloud or something, which means
you have to deal with passwords anyway), and if someone sits at your computer
they can log into all your stuff.

However, here's an interesting authentication solution I've been reading about
lately[1] proposed by an actual security researcher. That blog post links to
his peer-reviewed paper and to a talk that he gave.

The idea is basically to have a specific identity manager device he calls a
"pico", with a little camera on it. Web sites can display a QR-code or
something with its public key in it, you point the pico at it, and the pico
authenticates with the site on its own. His proposal also includes weird "pico
siblings" and stuff like that, which seems unfeasible to me, but some version
of it as a mobile app might be interesting.

[1] [http://www.lightbluetouchpaper.org/2011/03/27/pico-no-
more-p...](http://www.lightbluetouchpaper.org/2011/03/27/pico-no-more-
passwords/)

------
bahadden
I'm a bit wary of any system that automatically supplies identity information
to a website. Under a system like this, how would you decide 'I don't fully
trust this site so give it a different email address and fake name'.

~~~
bobds
There is a confirmation step mentioned, you could choose an alternate identity
then or generate a random one just for this site.

------
zerostar07
Mozilla launched browserID, but in reality its not much different from
facebook, twitter, google, openid etc. Facebook and twitter give webmasters
the promise of virality that's why they have been relatively successful.

Still, they are a nightmare. What if facebook decides to ban your domain? What
if user's account gets hacked?

What if we changed the rules of the game a bit: Take your cookies and browser
settings with you in a USB key. Websites know you by the session id stored in
your browser-wallet. They don't even need to know your name or your password.
You can use your friend's computer and fool around, without having to delete
recent history and cache afterwards.

Or instead, store browser settings in the cloud, or in a secure P2P network.
Login to the browser, not websites. Google sync does that partly, and it's
convenient. No need to transfer bookmarks, settings and passwords when you get
a new computer. Maybe that's where we are headed.

~~~
runn1ng
I have thought about that... but more and more, I browse the internet from
some sort of closed system (iOS and Android devices). I also switch operating
systems quite often. I doubt any solution, other than "just remember the
damned password, you remember N of them, so you can remember N+1, right?" will
work vertically on all of those.

------
MatthewPhillips
Problem: I can never switch browsers without having to create new logins for
all of my sites.

~~~
mattmillr
He suggests your identity data be stored in the cloud so all your browsers and
devices can access it.

He doesn't mention whether or not you need a password to connect your new
phone to your cloud identity wallet...

~~~
MatthewPhillips
I didn't sense that he meant for the user to be involved in the cloud aspect,
just that the browser stores it there so that it can persist beyond sessions,
single computers, etc.

If the goal is no more passwords, what is the handshake mechanism to move my
Firefox data to Opera?

------
cuu508
Current solutions to many-passwords problem are: * identity service like
OpenID, Twitter, Facebook * Password Manager like LastPass, KeePass

I wonder if, at least in some cases, we could somehow get rid of identity
requirement altogether: given a site that currently requires user accounts,
change its mode of operation so that identity either doesn't matter at all or
doesn't matter as much (the site is useful for anonymous users)

~~~
pavpanchekha
Educating developers to make sites that don't require login is a social
solution. Those have historically proven less workable than technical
solutions.

------
larrik
This idea doesn't address his complaint (expressed multiple times) about
accessing from different devices. In fact, this makes that essentially
impossible.

~~~
bengillies
I think he's assuming that browsers defer password storage to some sort of
cloud-based password storage service (presumably of your choosing). Hence the
mention of needing to trust the cloud.

------
lsc
wouldn't some sort of public-key auth largely solve the problem of
authenticating a user? I mean, I could give every site I use the same public
key without worrying that they could then impersonate me to other sites.

Assuming I give them the public key rather than relying on some sort of CA
system, we've also removed the problems inherent to authenticating through a
third party.

As far as I can tell, the only problem with this approach is poor browser
support. To my knowledge, the only public key systems that have wide browser
support are tied up with certificate authorities and other stuff for actually
verifying a real identity, which is a separate (and much more difficult)
problem. It seems to me that if we just had something that worked like OpenSSH
public keys that worked in a web browser, we'd at least have solved the
problem of coming up with secure passwords for every site.

------
psadauskas
I blogged about a solution to this about 9 months ago:
[http://blog.theamazingrando.com/the-road-to-better-
authoriza...](http://blog.theamazingrando.com/the-road-to-better-
authorization)

Same idea: A browser (or extension) that knows how to sign up, and log in.
Sign up would fill in the form from my choice of profiles (personal, work,
fake). Log in would automatically use the saved credentials, and allow me to
switch accounts from within the browser. Sync it to the cloud, or let me
export/import it to another browser or device.

Edit: HN discussion of that post:
<https://news.ycombinator.com/item?id=2128966>

------
rhettg
Why don't any websites add the option of just emailing me a link to login
anytime I want to use the site. Effectively this is what happens with "forgot
password" features.

~~~
Flenser
because if your email account is hacked with a forgot password system you
could discover it because your password would change, whereas with a login
link someone could use it without you knowing.

------
Jgrubb
Is there a mirror of this anywhere? I'm getting 404.

edit: never mind. It's back.

------
Ihavenoname
Sometimes trying to make things too simple just adds complexity. A good
password manager can do this without the same risk of identity theft and loss
of anonymity. I think many repressive governments would love to have one
central tracking option. Even if you could somehow insure that it would not be
aboust you would want the ability of a local record incase of censorship or
domain blocking by competing businesses. I am unconvinced that the Internet
would not work without a reasonable level of anonymity. A secure log in is not
required for every website you visit as the article seems to claim.

