Cutting the Gordian Knot of Web Identity


Why not using fingerprint scanners?
I think they’ve gotten pretty cheap.


I just don’t see this as such a big problem as you point out.

I have very few websites where I have a unique username/password. Basically just Google, Facebook and Amazon.

Almost all remaining sites support my Facebook account or OpenID in some other form (posted this comment through my Yahoo! account).


What @Sigivald said:

Good for you. Not my problem as a user, however. I don’t care about making your life easier (nothing personal!); I care about mine, and “magical browser-based just works once you give a browser your master super-password” is BAD

+1 (mamy times)


Sounds scary that there would be a database of the passwords of everyone in the world…

And I agree with most of the comment mentionning LastPass to be as close as can be from your proposition…

Why do people prefer lastpass over 1password?


How about this: you have a PGP key pair installed on your machine. Your username (everywhere) is the public key. Your password is the url (or something in a meta tag), encrypted with the private key. Both base-64 encoded. You can also install that certificate on the cloud, in which case you would get each password by logging in there, so you wouldn’t need to install the certificate when you’re a guest. In other words, you’ll only use the cloud when you’re not on your default machine.

Isn’t that simpler, and just as secure?



Any chance you will consider adding authentication via a X.509 certificate as an additional option on stackexchange? It sure seems like this should be pretty easy to implement. It seems like it should be as useful for proving the identity of someone as trusting 3rd party identity providers, or cookie based authentication. You already support multiple authentication providers adding another should be easy.

Just setup a page, which requires a certificate. If you have never seen the public certificate before, ask the user if they wish to associate the certificate with an existing account or create a new one, store the certificate for future logins. If you have seen the public cert before, then look up the account details and log the user in.

I would suggest that you should not care about what CA the certificate is signed by. Just accept any certificate signed by any CA, or self-signed. If you don’t spend time trying to verify anything to do with CAs, certificate based auth basically just becomes trust on first use.


The technology you’re looking for is called “Kerberos” :slight_smile:


Internet driver’s license or another third party centralized authentication. With government approbation or / and control = Instantaneous worldwide censorship.

Also attack that password combining random words from a dictionary. Your entropy become useless in no time.


Scan your eye/fingerprints as your identity. I hope in near future all computers/devices will have camera and browsers should be able to scan your eyes/fingerprints and use that to identify yourself


Jeff - what exactly does the browser integration get you over the current state of affairs at StackExchange? I click to ‘log in with Google’, and I have to confirm the first time, after that logging in seems to be just transparent without any prompts.


Google should buy Lastpass and make it a default in Chrome and Android. Lastpass is great on the Desktop, but sucks on the iPhone because of a lack of important public APIs on iOS.


It would be great if all the Internet switched to SSL, and used client certificates to identify people.


You need a revokable and replaceable token. The site sends me a random string (there was an Ansi token that used DES). I type it in or have something like a yubikey maybe with pin or fingerprint (and/or clock) in a usb port. It returns a cryptographic response.

Something like this exists with cell phones where you can get texts or voice responses.


Note that from the user’s perspective, you have reinvented SPNEGO.
This is implemented in all interesting browsers, and is how Microsoft implements Kerberos in IIS.

I have a feeling that your solution is implementable on top of the existing SPNEGO infrastructure, which is IE, Chrome & FF .


I agree - aren’t we all sick to death of passwords. Well how about a passwordless solution. One which requires you to identify yourself through SSO or OpenID but then authenticate yourself securely through a ‘secret’ code sent to your browser and validated by your mobile phone. I won’t say anymore - we launch this service next week and we will revolutionise this space. Check it out. LiveEnsure. The key principle is ’ identification is not authentication’ . !!


What about PKI? Why don’t more sites support this? Especially banks. In the absence of more universal adoption banks should be acting as CA’s and issuing PKI certificates for secure access to their own service. Browsers already support it and it works tremendously well.

You know what I would love to see? Smart Card driver’s licences with identity certificates on them.


Jeff, might I point you to this XKCD comic?


I posted a message here recently, but it didn’t even get to the messages, not to talk about that I have to log in.


The problem with passphrases is that MANY well known sites don’t allow spaces in passwords (twitter for example - you would have thought they would know better).

And the number of sites I’ve come across that won’t let me use symbols in a password, or limit the password length to like 10 characters. I usually go for 20+ totally random characters/symbols using (the awesome) lastpass password generator, but it feels like the websites are against me. It’s like they don’t want us to be secure.

Seriously - if I want to create a 256 character password then freaking let me (I know there will be collisions shorter than that).


I think the Android os locks the device the best: It lets me lock it with drawing a gesture with my thumb and that’s all needed to unlock me into Android and then everything. So there is no password and still a lock.

I like the idea of software and apps acting “on user behalf” i.e. the software is allowed to act on a user’s behalf and that can mean a lot of things like predefining accounts for services that a users might like so that a user can be already “registered.”

A programming problem is these different user models when a facebook user and a google user can be very well defined and no interaction or relation was defined. So I think internet communities should “sync user data” and if you allow a software realtime uptimes then that’s as easy as pushing the button if already logged in from a known account.