I must sign up for accounts on innumerable websites; it seems barely a day goes by without my requiring to come up with a supposedly unique password for yet another account. Of course, I don’t have unique passwords, and I can’t imagine any but the most paranoid do. It would be simply untenable to remember them. This situation is self-evidently ludicrous. It would be much simpler if there were a single location which can verify my identity on behalf of other sites.
Competently programmed, a site never stores passwords and so a break in to a site wouldn’t reveal my password to an attacker. The phrase competently programmed is the flaw in this argument. There are a number of pitfalls to safely storing user passwords. One break-in to an incompetently programmed site is enough to reveal my password to dozens of other sites. I would assume a site which doesn’t store my passwords securely is also a prime candidate for not being terribly secure in many other ways, compounding this problem.
After such a break-in, it is nearly impossible to change my password—thereby re-securing my account—on all the sites where I’ve used the revealed password. Even if I change it for “important” sites, the old password is still used for many others; it is also likely that a long forgotten password will be required to access a site I use irregularly.
A better way to authenticate me would be for a single third-party site to verify my identity on others’ behalf. The authenticating site can employ smart people to ensure their systems are secure and provide other sites with simple to use interfaces to use their services. In this way, only the site which authenticates me to other sites need securely store my credentials.
Others then merely ask that site to check I am who I claim to be. They can concentrate on being good at recommending films, storing my documents or displaying my photographs—whatever they are good at, rather than storing my authentication details securely.
As a further benefit, a user only has to remember one password which is not spread amongst several dozen sites of greater or lesser security. If a user’s login details are compromised, they need only change them on one site, rather on every site they have an account. Better still, the authentication site can take steps to prevent phishing attacks and provide more secure methods to validate it is really me.
One such effort to enable such a service is OpenID. OpenID is a protocol which allows one site to delegate authenticating a user to a different site, in the way I describe above. A user signs up with an OpenID provider, who is then responsible for authenticating the user to other sites. I have signed up with a provider called My OpenID.
I am not expert enough yet to know whether a protocol like OpenID would be suitable for high-security applications such as online banking. Saying that, however, the current state of security in online banking applications is laughable; a username and password is the same level of security as that protecting your Twitter account. I would be surprised if there were many security experts involved in the creation of security schemes for online banks.
Again, this implies a single, specialist entity would be a better solution than the current farce of accounts, passwords, usernames, so-called “memorable information” and sites rolling their own imperfect ideas.