Authentication Sucks

For a while I’ve been thinking about the classic Internet dilemma: authentication. For trust to work on the Internet, you need to (a) be able to verify the server you’re connecting to is the one it claims it is and (b) be able to prove you are who you claim you are.

(a) is a problem mostly solved by SSL/TLS (though there are a few lingering problems — and a lot of people ignore when SSL is not there). But (b) is a much larger problem.

Let’s face it: passwords suck. People make guessable ones, they can be phished, keyloggers can steal them, and so on. (And there’s the problem of people forgetting them entirely, of course.) The ideal solution is cryptographic: a public/private key pair that can cryptographically prove your identity. Since the private key never leaves your computer, someone has to steal it — not some lame password — and there’s no danger of your key being revealed if a website is hacked.

A few problems, though: first and foremost, implementation. How do you get so many websites to implement a cryptography-based scheme? The answer: you don’t. Get them to implement OpenID. OpenID is a great idea: centralize authentication to a single service, making all these extra passwords sitting around meaningless. And if that service supports cryptographic authentication, every website that supports OpenID can use it. And OpenID is gaining converts fast.

Second: how do you carry a private key? Passwords can be memorized relatively easy, but a long random string of characters can’t be. (Unless you’re a savant. But you have to consider the aptitude of your average computer user here.) The answer: little USB stick things that carry the private key and handle the cryptographic stuff onboard, meaning the private key never even leaves the USB stick.

Of course, USB sticks are easy to lose. I’d suggest designing something that fits in a wallet or even on a keychain. (Hey, it makes sense. Use your keys to unlock the computer.)

I want to see this happen. The preponderance of passwords means I’ve already had to resort to interesting methods to stay secure (besides having very odd passwords). Cryptography and OpenID (or something similar) are the way ahead. Come on, people, implement them!

2 Comments

  1. Check out this wiki page “http://en.wikipedia.org/wiki/Quantum_cryptography” , this is what the Europeans are working on. It’s basically the same thing but security is taken one step further by using quantum mathematics which allows the two computers communicating to know if someone is eavesdropping. It works on the principle that even measuring a quantum piece of data changes it. Since the data has been changed, the receiving computer reads it as an error. Too many errors and the computers communicating switch keys, channels, or just abort the connection.

Leave a Comment

Your email address will not be published. Required fields are marked *