The future of passwords
nancylebov asked about the present/future of passwords, and whether they are useless things that we ought to abandon.
My answer being "Mostly, I really, really hope so."
The problem is that the article that provoked this question is kinda rambly and all over the place, and mostly saying "Woe! All methods of assuring the computer you are who you say you are can be faked in some way! Dooooom!" and kinda heads off towards the idea that before you can log onto your computer you'll need to juggle balls in front of the webcam[1] and then give it a skin-sample[2].
And frankly, I don't want to be dealing with any of that shit. It all sounds terribly tiresome, and horribly frustrating to keep track of.
I know people that have password managers. The problem for me being that I log into my online banking from work. And I cannot install a password manager at work. And I also cannot be arsed retyping a long string of random characters from a password vault on my phone. Which probably makes me a bad, lazy, person, but I just don't care enough to jump through that many hoops.
I just about care enough that I have Google Authenticator on my phone, and when I log into GMail from a new computer[3] I type in a 6 digit number it generates for me. And I use the same app for Dropbox[4], because it's equally simple. But anything more than that is a huge faff.
Which isn't to say that I like having the same password everywhere. So I have a few different variations that I use. But what I really want - what would make me ecstatically happy - is not having to use a password to log in to most sites at all.
And some websites work that way. When I log into Buffer[5] I don't need to tell it my password. I just tell it "I am who Twitter says I am." and it keeps track of me that way.
There are a few sites that work that way now - using either Facebook or Twitter as login mechanisms. But I don't tend to use them most of the time because I don't want to treat my Facebook as my identity. Or my Twitter. They're both services I use, but neither of them feels so central to my life that I want to be tied to them. I don't want to lose access to a bunch of stuff just because I decided I hated Facebook with a fiery passion.
My email address on the other hand... Well, I've had my email address for13 years now. I'm attached to it, and it very-much feels like part of me. And, obviously, email addresses are generally mandatory to sign up to most sites anyway. I just don't want to have to set up a new password each time. So what I really want is for ducker.org.uk to authorise that, yes, the person who wants access to SexAndDrugs.com is definitely andrew@ducker.org.uk (or, if I'd like to keep bits of my life separate, andrew@notzen.com[6]).
Thankfully, some very smart people at Mozilla have written exactly that - in the form of Persona.
The eventual goal of Persona is that I turn up at your website and, when I want to log into it (to leave a comment, access secure content, or whatever) I click on the "Log In" button, select the email address I want to use, and _that's it_.
There's a couple of steps on the way though, because things are not that simple. For a start, right now Ducker.org.uk doesn't have the capability to verify that I am andrew@ducker.org.uk. So in the meantime, when the browser discovers that, it passes me to a fallback provider run by Mozilla. And the first time you log in you'll have to confirm to Persona that you actually own your address[7]. But after that, the experience is terribly smooth.[8]
And private too - because of the way it's set up Persona have no idea what sites you're logging into. You verified who you were, they handed you some ID, and then you can use that ID all over the place without anyone telling them where you used it.[9]
This, to me, is the future of passwords - you have them (along with other factors) for the few central places that need them. And nobody else needs a password to identify you, ever again.
[1]Because nobody juggles quite like you.
[2]But what if someone steals your skin and then clones a skin suit so they can log in as you?!?!?
[3]Or every 30 days on one I use already.
[4]With a different number, of course.
[5]The magical web app which takes all of my links and posts them to Twitter, but rations them out so that there's always 15 minutes between links rather than 10 of them turning up at once.
[6]NotZen.com is the domain I run for a few friends to have email addresses on. Set up before webmail became ubiquitous, back when people used to lose their email addresses if they switched ISPs.
[7]In the same way that you always do with web sites - they send you an email and you click on "confirm".
[8]You can try it out now at The Times Crossword site. http://crossword.thetimes.co.uk/
[9]And this, to me, is an instant big win over logging in with Facebook.
Original post on Dreamwidth - there are
comments there.
My answer being "Mostly, I really, really hope so."
The problem is that the article that provoked this question is kinda rambly and all over the place, and mostly saying "Woe! All methods of assuring the computer you are who you say you are can be faked in some way! Dooooom!" and kinda heads off towards the idea that before you can log onto your computer you'll need to juggle balls in front of the webcam[1] and then give it a skin-sample[2].
And frankly, I don't want to be dealing with any of that shit. It all sounds terribly tiresome, and horribly frustrating to keep track of.
I know people that have password managers. The problem for me being that I log into my online banking from work. And I cannot install a password manager at work. And I also cannot be arsed retyping a long string of random characters from a password vault on my phone. Which probably makes me a bad, lazy, person, but I just don't care enough to jump through that many hoops.
I just about care enough that I have Google Authenticator on my phone, and when I log into GMail from a new computer[3] I type in a 6 digit number it generates for me. And I use the same app for Dropbox[4], because it's equally simple. But anything more than that is a huge faff.
Which isn't to say that I like having the same password everywhere. So I have a few different variations that I use. But what I really want - what would make me ecstatically happy - is not having to use a password to log in to most sites at all.
And some websites work that way. When I log into Buffer[5] I don't need to tell it my password. I just tell it "I am who Twitter says I am." and it keeps track of me that way.
There are a few sites that work that way now - using either Facebook or Twitter as login mechanisms. But I don't tend to use them most of the time because I don't want to treat my Facebook as my identity. Or my Twitter. They're both services I use, but neither of them feels so central to my life that I want to be tied to them. I don't want to lose access to a bunch of stuff just because I decided I hated Facebook with a fiery passion.
My email address on the other hand... Well, I've had my email address for13 years now. I'm attached to it, and it very-much feels like part of me. And, obviously, email addresses are generally mandatory to sign up to most sites anyway. I just don't want to have to set up a new password each time. So what I really want is for ducker.org.uk to authorise that, yes, the person who wants access to SexAndDrugs.com is definitely andrew@ducker.org.uk (or, if I'd like to keep bits of my life separate, andrew@notzen.com[6]).
Thankfully, some very smart people at Mozilla have written exactly that - in the form of Persona.
The eventual goal of Persona is that I turn up at your website and, when I want to log into it (to leave a comment, access secure content, or whatever) I click on the "Log In" button, select the email address I want to use, and _that's it_.
There's a couple of steps on the way though, because things are not that simple. For a start, right now Ducker.org.uk doesn't have the capability to verify that I am andrew@ducker.org.uk. So in the meantime, when the browser discovers that, it passes me to a fallback provider run by Mozilla. And the first time you log in you'll have to confirm to Persona that you actually own your address[7]. But after that, the experience is terribly smooth.[8]
And private too - because of the way it's set up Persona have no idea what sites you're logging into. You verified who you were, they handed you some ID, and then you can use that ID all over the place without anyone telling them where you used it.[9]
This, to me, is the future of passwords - you have them (along with other factors) for the few central places that need them. And nobody else needs a password to identify you, ever again.
[1]Because nobody juggles quite like you.
[2]But what if someone steals your skin and then clones a skin suit so they can log in as you?!?!?
[3]Or every 30 days on one I use already.
[4]With a different number, of course.
[5]The magical web app which takes all of my links and posts them to Twitter, but rations them out so that there's always 15 minutes between links rather than 10 of them turning up at once.
[6]NotZen.com is the domain I run for a few friends to have email addresses on. Set up before webmail became ubiquitous, back when people used to lose their email addresses if they switched ISPs.
[7]In the same way that you always do with web sites - they send you an email and you click on "confirm".
[8]You can try it out now at The Times Crossword site. http://crossword.thetimes.co.uk/
[9]And this, to me, is an instant big win over logging in with Facebook.
Original post on Dreamwidth - there are
comments there.