Randall Stross in his recent
article to
The New York Times, highlights some of the very valid issues against the use of passwords.
"I once felt ashamed about failing to follow best practices for password selection — but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them."Best practices on selecting better passwords always only provide guidelines for how to select a password which is 'hard to guess' - NOT unbreakable. With this point, I totally agree with Randall - Yes, true - passwords do not seem to be the 'right' solution for digital identity.
He further adds.
"As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code."Yes, true - information cards provide a cryptographic solution to the authentication problem in a phishing resistant manner.
Even in this case - passwords are not totally taken out of the picture.
A given information card can be backed by a username/password, a self-issued information card or an X.509 token.
Also, in all three cases - if your machine, where you have installed all your Information cards, is protected by username/password - still we have not totally eliminated the risk of using passwords. Anybody who steals your machine username/password can easily use any of your information cards to authenticate in to any of the relying party web sites who accept your information cards.
Here comes the most interesting part of Randall's article.
"We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials."Oops... I am sorry... I totally disagree.
First I disagree with him on the point about Information cards.
CardSpace has made a good progress in the past and it will definitely in the future. It's not just Microsoft that has taken the CardSpace initiative forward - but it has also attracted many open source vendors as well. For example,
WSO2 with it's
Identity Solution has support for CardSpace - both as an Identity Provider as well as providing relying party components.
Second - I totally disagree with him on his comments on OpenID.
"...however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative."When such a comment is made - there needs to be enough facts to elaborate more on it. But, unfortunately there is nothing in it to justify.
Both OpenID and CardSpace are two technologies which support user-centric identity.
When you say - 'OpenID vs CardSpace' - it's simply an invalid statement. It should be 'OpenID and CardSpace'. Both the technologies work together smoothly. Please read
this blog post by Kim Cameron.
"...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site."This is totally misleading.
OpenID specifications never promote a single way of authenticating users to the OpenID Provider.
It can be username/password ,X.509 certificates or even Information cards.
I can take out many examples from the the web which support many of these authentication mechanisms for user authentication.
Randall, further adds.
"...Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised."Once again - it seems Randall has misunderstood OpenID as a way of password-based login - sorry, sir - it is not.