So, I was tooling around the internet (it’s my job!) and I came across yet another website that wanted me to “create an account” in order to do something that I wanted to do. And so I did. I mean, this is what we all do on the internet, right?
And then it struck me--a bit late--that this was patently absurd. It’s already a little odd/annoying that seemingly every website on the internet forces us to create and manage a new account/identity, let alone multiple identities on the same service. I mean no one has more than one twitter account, right? And nearly every account that we make with every service has it’s own “identity” and password.
Which means, practically, that we all have (at best) two or three passwords which are mildly to moderately secure, and we use those over and over again, and rarely change. Which is not secure at all. But it’s also a problem if we use passwords that are really secure and then can’t remember them. Solutions like 1password are great, and help those who want to be really secure with this problem, but this really just treats the symptom, and not the problem that a user-generated password is the way to find security. And while passwords are better than no passwords, there are better ways.
There are, as I see it, two solutions to provide better user security on the internet:
- Open ID. This is a protocol by which users can
create an access an account on site A by signing into and verifying
their identity with site B. It works, and it means that we end up
signing into fewer sites and have fewer versions of our passwords in
circulation.
- This works best I’m convinced, if we use big openID providers like Flickr, Blogger, and LiveJournal, and then delegate that openID to a third party website (a domain that you own, say), so that if your account ever gets compromised/abandoned, all the sites which depend on that openID aren’t compromised/abandoned as well.
- You wonder how this identity can be trusted? This is really an existential concern more than a pragmatic one because OpenID is no less legit than providing your (fake) name and (freely available) gmail email address.
- Public Key encryption. Using
PGP/GPG
the internet should develop some sort of handshake for the web where
by, we sign up for sites, upload a public key, and then when we want
to sign in the server generates a dynamic string and encrypts it
with our public keys and sends it to us. Our computers then ask for
our key pass-phrase (or not), decrypt the string, and send it back.
The server compares what we send to what they sent, sees that it
works, and then lets it in.
- This is really secure, particularly if the handshake happens over SSL.
- This is relatively simple from a computer science perspective. All that really needs to be done is) write something sexy that makes the UI work, and then get Google or someone to start using it. Everyone else will follow.
- It’s subject to man in the middle attacks, but then, everything is, and unlike a password that you only have to “hear” once in order to steal, guessing someone’s private key, based on only a few encrypt/decrypted strings is computationally (I understand) damn hard.
Who’s with me?