[Discuss] eliminating passwords
Tom Metro
tmetro+blu at gmail.com
Sun Jul 28 23:49:42 EDT 2013
Elsewhere today there was a thread mentioning StarSSL. They take an
interesting approach to site security. They don't use passwords. As part
of the process of getting your SSL certificate, they generate a
client-side SSL certificate that you install in your browser.
Thereafter, when you visit the StarSSL site over an SSL connection, it
knows exactly who you are via PKI key exchange, and has no need for
passwords.
This tech has been built into browsers for decades, and is something
banking and other high risk sites could have adopted to significantly
improve their security. (You can't phish a user's password if they never
enter it.) It does require a little but of setup, but the process could
easily be made smoother, and pales in comparison to the cat herding task
of making average consumers use password managers and generate strong
random passwords.
The big down side to the tech is that it isn't machine portable. At
least not easily. If you are inclined to login to your bank from your
tablet, in addition to your desktop, you'd have to repeat some sort of
an authentication process, or otherwise figure out how to get your
client key moved over there.
Far from a perfect solution, but its cheaper and a better user
experience than two-factor.
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
More information about the Discuss
mailing list