Many of you may have read in Wired that Google wants to find ways to authenticate without the old messy username and password approach.
Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.
I can agree with that without a problem or reservation. I have to talk to security guys in companies across the US and no one really loves username/password scenario. Aside from the risk, this approach also lends itself to multiple calls to a company’s customer support to resolve forgotten password issues. That adds up to significant $$ for many companies.
Google suggestion is something more secure like a ring, or easy to use USB drive.
They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.
I have no problem with a future where my ring or my phone act as my authentication mechanism or at least part of my authentication mechanism. I love the idea……………..but then reality sets in. The idea of one password to rule them all or one password service to rule them all has provided a siren call to many for a while. to understand their success, all you need to do is look upon the washed up shore of standards.
- OpenID – Yahoo and many others tried but even in the consumer world it’s failed to get full adoption
- SAML – enjoying great success but still not the default for so many companies
- OAUTH – first standard that actually took off. Many use it despite some lack of functionality
- OATH2 – not yet there and one of the key contributors quit
- OPENID2 and SCIM – hold the promise but with a lot of complexity
Of all of these, facebook’s OAUTH has made the most progress and many people are happy to login with the facebook id. Don’t get me wrong, that’s progress towards a central standard for all your authentication. Many portal vendors either support or plan to support OAUTH. (see IBM, Microsoft, Liferay, Oracle) But let’s talk to companies who don’t cater to the consumer. I mention OAUTH and either I get a blank stare or I get a look of unease before the inevitable response, “We aren’t comfortable with that.”
Let’s face it, our online lives include access to:
- Online stock brokers
- 401K accounts
- Bank accounts
- Health Insurance accounts
- etc.
If we cannot get them to buy off on one password to rule them all, how would we be able to get them to buy off on one device to rule them all. I know what the security guys would be saying about how easy it would be to gain access by stealing a device. I also know how uneasy security folks are about letting others define their standards.
Now don’t’ get me wrong, I’ve loved the idea of a strong central entity providing secure tokens for us for a while. I remember discussing the idea that maybe the US Postal Service could do that for the US. I just don’t see one device to rule them all if we can’t even get ourselves on board with one password to rule them all.
Bottom Line: I may be ok with my password saving tool like ewallet but there’s no way I intend to wear 10 rings and lug around 15 USB devices just so I can manage my online life. If they solve the central authority problem, then maybe we can start with the devices.