ow ow
I know... let's call it OpenID http://en.wikipedia.org/wiki/Openid
A group of software and online payment companies are teaming up to find a better way than passwords to protect, and prove, your identity online. Problems with passwords are well known - people require ever more passwords which means they either get forgotten, or people use the same word for several different services which is …
having these "information cards" owned and controlled by the government or a commercial interest.
While passwords are not an optimal solution (though it could be argued that for most websites, they provide an appropriate level of security, commensurate with the trivia they're "protecting"), I'd say that they're better than either of the two possibilities above.
'Those who do not study history are doomed to repeat it', or something like that. Here's a wonderful idea, concentrate all the information required to identify a person in a single place to save on passwords. Alternatively, concentrate all the information required to identify a person in a single place to make it easier to steal.
Yes, multiple passwords are a total pain but the whole point of multiple/different passwords is to improve personal security.
"Other information - such as whether or not the browser is over 21 years old - could also be verified by the website by querying ..."
$USER_AGENT, maybe? Nice to hear that they don't insist that we use this morning's release of IE/FF/whatever.
Are there any "adult" browsers? Or have I misunderstood something?
I don't have any online cards in my wallet. Unless you count other people's business cards with a web address on them; in which case it sounds rather worrying that I'd be able to pretend to be someone else.
I know it's just a slightly fluffed up press release, but that particular description, directly pasted from their site, is so vague as to be fatuous.
It's fascinating that pepole with techonlogies designed to do away with passwords because "passwords are insecure" inevitably end up replacing it with something that either replaces it with a SINGLE password on their fragile home PC, or with a physical token that can be stolen and used by whomever has your wallet, or by a giant LDAP system that every website in the would would use and pay them a fee for, thereby earning them caviar and Ferraris. (And, of course, this single authenticator would NEVER lose or sell information about their user's authentication behaviour....)
Had it on a USB Stick for about a year now, carries all my details for several sites. One secure password I can type too quickly to shoulder-surf, and it's plain sailing.
For the hyper-paranoid, encrypt the USB disk with TrueCrypt's partition encryption feature. Double secure against loss.
I know one University is making TrueCrypt mandatory on removeble storage for their staff; I'm helping train them.
Oh, and NO ID CARDS.
Who do we trust to store it? Could you imagine what your Equifax credit reports would look like after you'd been to a few 'over 21s' websites....no thanks.
Equifax et. al are scary enough with their stance of 'we don't own the data' as it is. I once got rejected for a mortgage application, when I investigated it was because my name was spelt wrong on the electoral roll. I tried to change it and discovered that that's impossible - all they would do is add a note to the entry on the file. Of course I'm sure all automated credit systems read these notes.
And besides haven't we been through this before with the likes of MS Passport, Liberty Alliance etc.
Electronic eavesdropping negates the security of any fixed password, or Pa55wordz, so why bother? Until we use one time codes, ideally wihtout hardware at all, like GrIDsure, we are going to be fighting a useless, losing battle!
But it has to be free to the end user, so someone has to pay for a secure solution, somewhere along the line.
The issue is quite simply that it's a process problem, not a technology one.
1 - you are one physical person (even if you have a split personality :-)
2 - you have multiple identities (passport, web user, bank client, cellmate 23345, drivers license)
3 - each single identity assigns rights and obligations to you.
From the above follows that the only place those identities meet is at your physical person. Open your wallet and see the result: bank cards, memberships, Oyster etc.
The ID Card approach is flawed in that it wants to tie all of that to a single DIGITAL identity, which amounts to removing your control from your personal "federation of identities". In your pocket you are in control of segregation. The gov doesn't know you have 2 bank accounts other than via your tax form, nor does it need to know about any memberships you have. Ignoring this simple personal segregation would mean that the next CD in the post will *really* result in electronic identity theft (be precise, nobody ever had their personality stolen :-).
There is no need, ever, to store your fingerprint and other biometrics centrally other than as part of a criminal record. Biometrics are IMHO OK - when YOU control them.
The sooner the ID Card gets dumped the better it will be. That this was ever considered feasible raises serious questions.
How do they incorporate the laws of dozens of countries into the scheme? Something only available to a 21 year old in the US may be available to 18 year old in the UK or a 16 year old in Africa.
When happens when a legal service in one country isn't legal in another? How exactly does the system a) identify the country of the service and b) the country of the user reliably?
How many people do you know who do NOT use ONE password for EVERYTHING, and write it down so they don't forget it? Non-techys, that is...
I've worked for companies that had laptops with hard-disk encyrption, 30-day lifetime passwords using (so-called) strong encryption (upper & lowercase, numbers, punctuation; 3-out-of-4, minimum length etc) and the 'random' number-generating keyfob/card thingies with a 4-6 character personally-generated PIN; when taking delivery, all Users had to sign to say they would not write their passsword or keyfob PIN down etc just like normal.
So care to guess what we found in the laptop case practically every time we had to visit one of these Users, or needed to take a laptop away for any reason? You probably guessed right; one fool even had the bit of paper with his keyfob PIN and the post-it with his password (and the last half-dozen!) and PIN tucked inside the laptop sitting on the keyboard, and one half-witted son of a half-blind monkey and a drunken prostitute (I swear he could not have been a real human being, he was so completely stupid!) had taped it to the front of the laptop... together with the HDD boot decryption key.
Management seem to be the worst (too busy fsck'ing over the poor bastards at the bottom of the corporate food chain or plotting their next expense account "lunch" to bother with such petty trivialites as keeping the company data secure), with techy types being the least likely to do it (although there were some... but it tended to be the youngest ones rather than the grizzled old hacks who'd been there for years)...
Thar be data theives ahead, me boy - and not all of us wear the same flag...
Problems with Infocards:
1. It's come from Microsoft
2. It assumes that users will move their private key/public key & cards around on a hardware token (USB)
3. They'll have to remember yet another bloody password to do the import/export on another PC/mobile device
OpenID is going to be a hard enough concept to a lot of people, and now the people with budgets that don't do ANY usability testing think that the 20% of the population who have and know what a USB stick is and how to use it; will be able to suss moving Infocards from device to device? And I reckon of those 20% who know what a USB stick is, then only a further 20% will be the maximum achievable uptake?
Question, how do people with this much research money get things sooo wrong?
Years ago (in NL) there was a system called "iPay with SET", which meant that payments were not made to any old site, but rather through an established trust relationship - your bank. The bank authorised the payment request and approved the transaction, standing guarantor to the website. You never needed to enter banking / payment info into a etailer's site. I can't remember whether the bank sent confirmation of the registered address or not.
By comparison, Verified by Visa or this new approach seem like a watered-down system.
How about a steg encrypted usb stick, each seperate set of data stored isolated from any other, with a certificate store to give access to data sets to specific 'users'.
You could store bank details, website passwords, medical records, all hidden from each other.
Logging into a website: when you register, you save their certificate as having access to it's datastore. When logging in, you enter your password into the usbstick, the website provides it's certificate check and the stick returns the data if it matches.
Paying in a shop: the seller sends you thier certificate, you verify it and add them as a single transaction 'user'. the payment request goes to the bank, the bank requests confirmation from the stick, the stick confirms and deletes the access.
The data sets could be actual data, or key generator algorithms. No need for centrailsed store of anything except certificate chains. Not saying it couldn't be hacked if you had physical access to it, but if you lost it, you could revoke your certificate and so prevent access to any of the data sets when the stick next tries to access something.
Long enough keys and encryption between the stick and the certificate store would make attacking it pretty tricky. Storing the access certificates in memory that dies if the case is tampered with would leave a patternless jumble of data.