Why Single Identity for Authentication is an Impossible Dream

by Krishna on September 6, 2011

Jeff Atwood once again points us to the Internet nightmare of maintaining several passwords for logging into so many different websites.

Every time you touch a website that actually cares who the heck you are — and this is an increasingly large list of sites as the web matures — you have to, sigh, “log in”. And logging in inevitably requires you to create a username and a password. Over and over and over and over. And, oh by the way, you’ll be logging in again each and every time on every browser and every computer and every device you own. It’s a great system. And by “great” I mean fracking terrible.

In the past, his solution has been OpenID (which has been increasingly falling out of favor), but in his recent post, he suggests a different automated method. Read through the article. Here are my thoughts:

  1. A single “trusted, secure location for passwords” would be the biggest gold mine in history. You can expect all kinds of hackers trying to get to the information through different means, such as brute-force software hacking, social engineering, physical access to the machines, tapes, etc. And not only the target of hackers out for financial benefit, but also that of terrorists, activists and enemy nations. For example, if you work for a defense manufacturer, there will be hackers employed by spies to get to your personal information.
  2. Suppose instead of a single source, you have multiple vendors offering such locations via an industry standard. Competition will ensure that over time, only a few big vendors remain. And each of them will be big targets for hacking.
  3. If any one vendor is hacked, that would have a severe disruption throughout the entire Internet. It is similar to when your (and a thousand others) credit card information becomes part of a security breach at one company. It is worse because all other “password vendors” are suspect.
  4. Many firms, especially financial companies, will be loath to entrust security to a third party vendor. The fractional benefit that they can offer customers will be heavily outweighed by the legal and logistical nightmare in case of a security failure. Will a company like PayPal ever accept authentication provided by another vendor?
  5. Users may sometimes want multiple identities. Privacy is a good reason. Imagine if Amazon and Google both used the same identity and then merged, allowing them to create a single “master” profile for you based on several months / years of your online transactions and searches. The Google+ example shows that a company could take steps to prevent anonymous profiles, i.e., they can link online activities to a real person.

Also, the landscape for authentication needs have changed over the years. For example, in the recent past, authentication via Facebook has been used for blog comments, newsletter subscriptions, email deals, and so on. SAML is a standard that can be used for single sign-on with such platforms as Salesforce and reduce the need for enterprise customers to keep multiple passwords. Browsers such as Google Chrome allow you to store passwords locally and also sync them across multiple computers.

One answer to the problem of multiple passwords is for users to ask themselves whether they should bother creating an account. For example, if you are placing an order, you should be able to check out without creating an account: many sites provide this option. A blog that forces you to enter a password for writing a comment is usually not worth commenting on! Also sometimes you may want to create a fake username and one-time throwaway password (just type randomly on the keyboard until you get 32 characters or so) instead of linking it to anything else you have on the web.

[Photo CC licensed from Don Hankins]


Noah September 11, 2011 at 5:39 pm

Check out lastpass.com, they do your ‘single trusted location for passwords’ and they do security well, with your key database encrypted locally on your machine, before being uploaded to their servers so even if they suffer a break in no one can access your passwords.

Krishna September 12, 2011 at 9:46 am

Thanks for the comment, Noah

I cannot comment on how good the technical implementation of lastpass.com is, but if there are people whose passwords command a premium in the business espionage or military intelligence arenas, then lastpass.com will be the target of highly capable and well-funded adversaries. Not only via technical means, but also by unsavory means through the use of money and might.

Comments on this entry are closed.

{ 1 trackback }

Previous post:

Next post: