The article closes by trotting out the usual advice about making usernames and passwords secure - make them long and cryptic, don't use the same credentials for more than one service, and don't write them down. However, I heard a piece on BBC Radio 4 not long ago in which Damian Grammaticus investigated computer security and hacking. It showed that any Windows password under 14 characters long could be cracked in seconds, regardless of how many punctuation characters and digits it contained. Since we're all forced to register with dozens, if not hundreds of different IT services on the Internet and our employers' networks, it simply isn't possible for standard-issue mortals to memorise that many cryptic usernames and passwords (particularly where IT policy demands that the password be changed regularly).
Common approaches to overcome these wetware limitations include
- Writing usernames and passwords down - not recommended because anyone could find them and steal your precious secret information
- Using a standard username and password for many different sites - again not recommended because if a thief finds out one valid combination, (s)he can access all your accounts
- Generating usernames and passwords by means of some function, which you can compute mentally without too much effort and which preferably takes the current month and/or the URL of the service as parameters - this works OK in certain situations, but because the algorithm can't be terribly complicated, someone could reverse-engineer it and have access to all your accounts
- Using a password manager application: something that you install on your laptop (say) and which stores all your usernames and passwords for you, encrypted of course, so that you can only gain access using a master password or even biometric authentication - disadvantages may include the risk of losing the device or the master access key, as well as the inconvenience of having to have the device to hand whenever you need one of your account credentials (not to mention the cost of the password manager itself)
- Trusting an Internet service such as DataInherit to manage the keys for you, which has the advantage that should you die or be incapacitated, a nominated person or persons can automatically be given access to selected accounts in your portfolio - disadvantages include the price and the number of steps you have to go through to retrieve any given username and password
Surely the time is ripe for a security architecture that fully separates authentication from authorisation. Depending on your spending power and level of paranoia, you could procure authentication services from any reputable trust authority of your choosing, which could make use of a single very secure identifier and pass phrase, optionally combined with more stringent authentication factors such as digital certificates, RSA SecurID devices, or even biometrics. The identity thus established would be securely and trustworthily conveyed to whatever service you were trying to access - regardless of whether it is on a company intranet, the public Internet or your ATM network.
Unfortunately the Twitters and Googles of this world, not to mention the myriad online shopping sites, still want you to register with them directly and not with some third-party authentication provider. This is because they believe that there's value in knowing your real world (meatspace) name and address, age, marital status and what have you so that they can push targeted marketing at you. It doesn't seem to bother them that the majority of the data thus gathered is probably untrue, because most Internet users are paranoid about giving away such information.
I want single sign-on to be ubiquitous, effortless, virtually unhackable and foolproof (as well as heritable, as directed by me, when I leave this world, so that my digital assets are not locked away forever). By "ubiquitous", I mean that I should be able to use the same sign-on for my employer's network as for any client's network which wants to authorise me to access some selection of their IT services, for Internet services on which I register and preferably at the bank's ATM too. By "effortless", I mean that authenticating myself to all these services is necessary only once per computer per day and ideally doesn't require me to memorise anything, or at most one thing. A physical token in addition, or a biometric, would be acceptable.
The theoretical foundations already exist, underpinning such standards as Kerberos and WS-Trust. But to make it work in the real world of competing and highly disparate IT services, the community of service providers would need to discover some kind of shared interest in implementing it as standard. A grand computing challenge for the new millennium, perhaps?