andrewducker: (Default)
[personal profile] andrewducker
[livejournal.com profile] nancylebov asked about the present/future of passwords, and whether they are useless things that we ought to abandon.

My answer being "Mostly, I really, really hope so."

The problem is that the article that provoked this question is kinda rambly and all over the place, and mostly saying "Woe! All methods of assuring the computer you are who you say you are can be faked in some way! Dooooom!" and kinda heads off towards the idea that before you can log onto your computer you'll need to juggle balls in front of the webcam[1] and then give it a skin-sample[2].

And frankly, I don't want to be dealing with any of that shit. It all sounds terribly tiresome, and horribly frustrating to keep track of.

I know people that have password managers. The problem for me being that I log into my online banking from work. And I cannot install a password manager at work. And I also cannot be arsed retyping a long string of random characters from a password vault on my phone. Which probably makes me a bad, lazy, person, but I just don't care enough to jump through that many hoops.

I just about care enough that I have Google Authenticator on my phone, and when I log into GMail from a new computer[3] I type in a 6 digit number it generates for me. And I use the same app for Dropbox[4], because it's equally simple. But anything more than that is a huge faff.

Which isn't to say that I like having the same password everywhere. So I have a few different variations that I use. But what I really want - what would make me ecstatically happy - is not having to use a password to log in to most sites at all.

And some websites work that way. When I log into Buffer[5] I don't need to tell it my password. I just tell it "I am who Twitter says I am." and it keeps track of me that way.

There are a few sites that work that way now - using either Facebook or Twitter as login mechanisms. But I don't tend to use them most of the time because I don't want to treat my Facebook as my identity. Or my Twitter. They're both services I use, but neither of them feels so central to my life that I want to be tied to them. I don't want to lose access to a bunch of stuff just because I decided I hated Facebook with a fiery passion.

My email address on the other hand... Well, I've had my email address for13 years now. I'm attached to it, and it very-much feels like part of me. And, obviously, email addresses are generally mandatory to sign up to most sites anyway. I just don't want to have to set up a new password each time. So what I really want is for ducker.org.uk to authorise that, yes, the person who wants access to SexAndDrugs.com is definitely andrew@ducker.org.uk (or, if I'd like to keep bits of my life separate, andrew@notzen.com[6]).

Thankfully, some very smart people at Mozilla have written exactly that - in the form of Persona.

The eventual goal of Persona is that I turn up at your website and, when I want to log into it (to leave a comment, access secure content, or whatever) I click on the "Log In" button, select the email address I want to use, and _that's it_.

There's a couple of steps on the way though, because things are not that simple. For a start, right now Ducker.org.uk doesn't have the capability to verify that I am andrew@ducker.org.uk. So in the meantime, when the browser discovers that, it passes me to a fallback provider run by Mozilla. And the first time you log in you'll have to confirm to Persona that you actually own your address[7]. But after that, the experience is terribly smooth.[8]

And private too - because of the way it's set up Persona have no idea what sites you're logging into. You verified who you were, they handed you some ID, and then you can use that ID all over the place without anyone telling them where you used it.[9]

This, to me, is the future of passwords - you have them (along with other factors) for the few central places that need them. And nobody else needs a password to identify you, ever again.


[1]Because nobody juggles quite like you.
[2]But what if someone steals your skin and then clones a skin suit so they can log in as you?!?!?
[3]Or every 30 days on one I use already.
[4]With a different number, of course.
[5]The magical web app which takes all of my links and posts them to Twitter, but rations them out so that there's always 15 minutes between links rather than 10 of them turning up at once.
[6]NotZen.com is the domain I run for a few friends to have email addresses on. Set up before webmail became ubiquitous, back when people used to lose their email addresses if they switched ISPs.
[7]In the same way that you always do with web sites - they send you an email and you click on "confirm".
[8]You can try it out now at The Times Crossword site. http://crossword.thetimes.co.uk/
[9]And this, to me, is an instant big win over logging in with Facebook.

Date: 2012-11-17 02:16 am (UTC)
mm_writes: Sheep go to heaven, goats go to hell (Default)
From: [personal profile] mm_writes
  1. The problem with letting Twitter authenticate as you is anyone who breaks into your Twitter account can authenticate as you on any website that accepts Twitter authentication.

  2. The problem with Persona is exactly the same.


The problem is that the article that provoked this question is kinda [...] mostly saying "Woe! All methods of assuring the computer you are who you say you are can be faked in some way! Dooooom!" and kinda heads off towards the idea that before you can log onto your computer you'll need to juggle balls in front of the webcam[1] and then give it a skin-sample[2].

Actually, retina scanning or thumbprint recognition would be ideal. Any other way can be tampered with, stolen, faked, duped or...so I'm entirely sympathetic to Wired's tone. Passwords are a relic of the good ol' DOS days. Command line shit. What people did waaaaaaaaaaaaaay back in the day when the only way to tell a website or computer you were you was through a special seekret text string of some sort. Text. String. We've moved way beyond computers that can handle text alone and way beyond computers that only have 16KB onboard memory to handle the text, yet we're still signing in to websites the same way we did back in the 90s. Big problem.



Edited Date: 2012-11-17 02:17 am (UTC)

Date: 2012-11-17 11:16 am (UTC)
birguslatro: Birgus Latro III icon (Default)
From: [personal profile] birguslatro
If all our devices accepted swipe cards they'd be probably more useful than fingerprint readers - with the added bonus you could have different ones for different types of sites. (Business, personal, etc.) Visit site - it asks you to swipe your card - you do and you're in. With pin-numbers required for only the more important sites.

Or could an equivalent system be created for USB ports or whatever's the most common? ie. Some kind of dongle you'd carry around that says to sites that you are you. No physical logging in at all then, it happening automatically as long as your dongle's plugged in.

Date: 2012-11-17 11:59 am (UTC)
birguslatro: Birgus Latro III icon (Default)
From: [personal profile] birguslatro
The USB Dongle idea's quite good as a means to store authentication - for the devices that have USB, which is most computers, if not phones and tablets. Web browsers and such would need to be modified to accept them though, I guess.

Ha - and it looks as if it's just a hardware hack away for anybody to have one, no website updating required...

http://hackaday.com/2012/03/05/usb-dongle-generates-and-enters-your-passwords-so-you-dont-have-to/

Plus there's Yubikey: http://drupal.org/project/yubikey

Date: 2012-11-17 12:19 pm (UTC)
birguslatro: Birgus Latro III icon (Default)
From: [personal profile] birguslatro
And you have to carry your phone around too. And I suspect phones will eventually become the default proof that you are you, phones being more personal than personal computers have proved to be.

But a USB dongle could save you from having to log in at all, which is the ideal. You visit a site and it knows you are you, (it looking for and finding your dongle), avoiding your: "I click on the 'Log In' button, select the email address I want to use, and _that's it_." And as to your phone, it should be able to imitate being a dongle.

July 2014

S M T W T F S
   1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Aug. 1st, 2014 01:39 am
Powered by Dreamwidth Studios