First of all, and given the fact that authentication is confused with/not separated from authorization (even the folks at Google seem to be confused about it, see a recent blog entry of mine about: OAuth is not about Authentication), let's clearly define what we are talking about
(taken from the Wikipedia entry on authentication):
Authentication (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. Authenticating an object may mean confirming its provenance, whereas authenticating a person often consists of verifying their identity. Authentication depends upon one or more authentication factors.
Apart from technical concerns, there is this one important aspect to authentication that deserves special attention: Identity, which represents the something (or someone) that should be confirmed as authentic through an authentication mechanism.
Probably the buzzword web identity rings a bell, or maybe you have read about OpenID or all the fuzz on Open Social. Or you may have stumbled over a blog named Identity 2.0.
I don't know how you perceive it, but for me, the top priority question these days is Who should provide my identity? and not How should the mechanism work?, because that comes second, and that it has to be sufficiently secure is out of question.
I really ask you to ponder it; there are many implications related to all possible answers of this question. Just think that governments are as well moving towards the E. Given the scale of the E movements nowadays, this is not likely an easy problem to solve and will take some more careful considerations if the identity is to be used beyond simple social networking activities: maybe for a blog comment it does not matter, but once you are voting or paying bills with it, you will for sure be more alert about your identity.
The truth is that most of the users of the web suffer from a multiple identity syndrome, and in many cases this may involve quite some cost and inconvenience for the user. I don't know about you, but I have a growing number of "identities" that involve me to carry tokens in different form factors (and certainly pay for those that are supposed to Internet banking secure for me).
So: How many of these tokens are you willing to pay and carry arround with you?
Taking identity into account, I think that OpenID is based on the right idea:
An end user can freely choose which [OpenID] Provider to use, and can preserve their Identifier if they switch [OpenID] Providers.
However, when it comes to security, OpenID has it's weak points; just read about How secure is OpenID? and The Problems with OpenID.
It think that it's time to dvelve into the web authentication problem, and will hopefully find some time to distill my ideas and brainstorming of the last months into further posts on HTTP Authentication mechanisms, SSL/PKI and the Trusted Third Party issue, and probably an idea for a new mechanism for security that won't depend on SSL.
0 comments:
Post a Comment