Monday, November 15, 2010

Ubiquitous Identity

The idea of having one account/identity to rule them all isn't new. Folks have tried (Microsoft's Passport now Live Id, OpenID, AOL, etc.) it in the past and it didn't really seem to get traction. That is of all of the sites that a person would visit, the vast majority would require you to create a *new* account and re-enter ALL of your details. Within the past year that seems to have started to change. Facebook, Twitter, Google, and others all provide authentication hooks (many using OAuth) so that you can login to a different site using the same credentials you use for FB, etc.

This is interesting for a couple of reasons:

  1. It basically guarantees that you will ALWAYS be signed into FB, etc. If there are times when you're not regularly using Facebook and perhaps your session has even expired, Facebook Connect (used to link up your account and provide your Facebook identity to a different site) will refresh your Facebook session.
  2. It centralizes authentication for basically the entire Internet which means it's a pretty big target... Break my Facebook account and you have access to lots of other accounts that I have. I suppose it's arguable that a person's digital presence is more secure if they have distributed accounts, but it would at a minimum make it a little harder for an attacker and if the user uses multiple strong passwords it's a good deal harder.
  3. It creates a huge moat for Facebook and cedes them a a lot of power. Don't like what they're doing with your account or generally and you're inclined to cancel your account? Think again, it's going to be a pain to have to re-setup all of those other accounts unless you plan on losing access to other things you care about.

Generally, I'm not a security or privacy conscious person but the more I think about this the more it seems like there should be some central/regulated/neutral authority for identity and authentication.

No comments:

Post a Comment