One of the really annoying things about the Internet is authenticating yourself – that is, having to remember lots of different userids and passwords. Why can’t there be some way of just logging on once, having one userid and password that will work just about anywhere?
In a recent discussion on Joi’s webblog, I suggested a way that it might be done, using the same principles that have made weblogs so straightforward and so great.
It’s not that people haven’t tried similar thingsbefore. Microsoft did, and they have an authentication platform called Passport. However, it has a number of problems – there have been security questions, your site has to be a Microsoft partner to use it, and a lot of people are uncomfortable with permanently lodging all their access information in a Microsoft database.
So I was thinking that the blogging community could do something similar, but doing it on a very decentralised basis, in the same way that blogs are decentralised. (This description is a bit technical, assumes some knowledge of authentication and some knowledge about how weblog software (such as Moveable Type) works.
The best thing to do would be to set up something very simple to start with. It’s not necessarily a good idea to start by trying to provide a solution for logging into something really important like a banking site. As a beginning, I was thinking of a system that would enable the email address I give when I comment on a blog site (such as this one) or when I send a ‘trackback’ ping to be verified.
This is roughly what would happen when I posted a comment on someone else’s (say Joi’s) blog. Like I say, it’s a bit technical, so skip down to the end if you get lost.
When I post to the site, I type in my email address, and tick a box to indicate that I would like to be authenticated. When I press the submit button, my comments would be submitted to Joi’s blog software. Joi’s blog software would create a ‘token’ (a random string of letters and numbers) which it would then send directly to my blog software on my site. It would also do a ‘redirect’ of my browser back to my site, with the token embedded in the URL to which I had been forwarded.
The software on my site would verify against the user database to check that I was who i said I was. (This would be done using the cookie – just the same was i am always authenticated when I log on to my blog software.) It would also check that the token it received from my browser and the token it received from Joi’s site were the same. If it is the same, it means that the person who is posting a comment on Joi’s site is definitely me. My blog software contacts Joi’s site and confirms that I am who I say I am.
I am then redirected back to Joi’s site, where my authentication is confirmed, and I am thanked for my comment.
The same idea could be used for all sorts of authentication. Authenticating a trackback to check that it did actually come from a particular user on a particular website is actually even simpler than this. You just supply a token with the trackback request, and the token can be queried with the source blog later on to ensure validity.
Of course the system could be made more sophisticated and bulletproof later on by the use of fancy techniques such as public and private key encryption. You could also incorporate special records for it into the DNS later on, to make it more resilient
Joi asked what would happen to people who didn’t have blogs – well, the authentication service could just as easily be incorporated with a webmail service, or a standard ISP service, once it caught on.
UPDATE: added this diagram, to explain things better.