One of the really annoying things about the Internet is authenticating yourself – that is, having to remember lots of different userids and passwords. Why can’t there be some way of just logging on once, having one userid and password that will work just about anywhere?
In a recent discussion on Joi’s webblog, I suggested a way that it might be done, using the same principles that have made weblogs so straightforward and so great.
It’s not that people haven’t tried similar thingsbefore. Microsoft did, and they have an authentication platform called Passport. However, it has a number of problems – there have been security questions, your site has to be a Microsoft partner to use it, and a lot of people are uncomfortable with permanently lodging all their access information in a Microsoft database.
So I was thinking that the blogging community could do something similar, but doing it on a very decentralised basis, in the same way that blogs are decentralised. (This description is a bit technical, assumes some knowledge of authentication and some knowledge about how weblog software (such as Moveable Type) works.
The best thing to do would be to set up something very simple to start with. It’s not necessarily a good idea to start by trying to provide a solution for logging into something really important like a banking site. As a beginning, I was thinking of a system that would enable the email address I give when I comment on a blog site (such as this one) or when I send a ‘trackback’ ping to be verified.
This is roughly what would happen when I posted a comment on someone else’s (say Joi’s) blog. Like I say, it’s a bit technical, so skip down to the end if you get lost.
When I post to the site, I type in my email address, and tick a box to indicate that I would like to be authenticated. When I press the submit button, my comments would be submitted to Joi’s blog software. Joi’s blog software would create a ‘token’ (a random string of letters and numbers) which it would then send directly to my blog software on my site. It would also do a ‘redirect’ of my browser back to my site, with the token embedded in the URL to which I had been forwarded.
The software on my site would verify against the user database to check that I was who i said I was. (This would be done using the cookie – just the same was i am always authenticated when I log on to my blog software.) It would also check that the token it received from my browser and the token it received from Joi’s site were the same. If it is the same, it means that the person who is posting a comment on Joi’s site is definitely me. My blog software contacts Joi’s site and confirms that I am who I say I am.
I am then redirected back to Joi’s site, where my authentication is confirmed, and I am thanked for my comment.
The same idea could be used for all sorts of authentication. Authenticating a trackback to check that it did actually come from a particular user on a particular website is actually even simpler than this. You just supply a token with the trackback request, and the token can be queried with the source blog later on to ensure validity.
Of course the system could be made more sophisticated and bulletproof later on by the use of fancy techniques such as public and private key encryption. You could also incorporate special records for it into the DNS later on, to make it more resilient
Joi asked what would happen to people who didn’t have blogs – well, the authentication service could just as easily be incorporated with a webmail service, or a standard ISP service, once it caught on.
UPDATE: added this diagram, to explain things better.
This is trusting the commenters client software to authenticate the commenter. As he owns it, this is about as reliabel as trusting SMTP headers.
That’s not correct! This scheme depends on the commenter’s blog software to authenticate the commenter. The browser itself does not perform the authentication.
yes, but the commenter is still in control of his blgoging software and as such able to manipulate it.
But surely that’s the whole point! You can check for sure that he is in fact the person who owns the blog and not someone else pretending to be him.
What you’re suggesting, Antoin, is very like
the authentication method used in the LSoft
LISTSERV. It was probably some time in the
late eighties that Eric Thomas implemented it.
It still works. The “transport” is just e-mail.
Cookie-based browser-mediated authentication
has been added since, but the more sensitive
transactions (changing the password, for example)
use e-mail as an “out-of-band” channel.
By offering a variety of both methods and transports, ppl with a less sophisticated
infrastructure (no blog of their own, or whatever)
can be accommodated. This is analogous to the
variety of options PAM provides. Of course, TANSTAAFL: the software is more complex. I wonder why the RIPE DB comes to mind …
Well, it’s not quite like that … this authentication has a peculiar triangular quality to it.
Maybe this (slightly fuzzy) diagram illustrates it a bit better. Just follow the numbers and you’ll be able to understand it:
Obviously, this all depends on the remote blogserver trusting the home blogserver to authenticate the person. But why not trust them? It’s a few blog posts we’re trying to authenticate here. We’re not defending Fort Knox. The idea is to build the simplest thing that might possibly work.
Well, it has just come out in the last week that MS passport is really easy to break into. JUst a warning to everybody! Microsoft have been lax on security again. Their potential penalty in the states for this is in the billioons of dollars. Dont use passport. Credit card numbers can easily be obtained from it. Really you shouldnt be using windows either! Microsoft is a us company who have secret back doors to windows. Some of them are for the companys own use. (To see what competitor software you have, And a security expert here in Victoria suggested that (as part of the secret deal microsoft did after 911), that other back doors were given to the us government. (and a keystroke logger dutifully reports back telling them every move u make! I use opera as my browser under linux. And it reports that 2 scripts are trying to read my passwords, every time I log in anywhere! Now, if the bad guys get that back door info, all your info is easy to grab! The best way to autentication is several platforms. Not just windows. The autentication method must be cross platform. The main opperating systems out there are windows, solaris, linux (in its varietys) mandrake from france, Suse from germany and perhaps an irish one too, symbian ad palm. We should be using a variety of them for security reasons as well as commercial ones.