Comment Re:I disagree (Score 1) 549
What we really need is some kind of standardized identity management system-- like you know how you can sign onto various sites using either your Facebook or Google+ sign-on? Like that, but standardized. We need a true single-sign-on solution that is easy to manage, hard to screw up and lose your identity permanently, and usable everywhere.
This has been obvious for well over a decade, but we can't do it because we don't create standards anymore. For any solution, Microsoft wants to have their solution, Facebook wants theirs, Google wants to do it their own way, and Apple wants to do something different from all the rest. Each company pretty much wants a solution that will benefit themselves and screw over their competitors. None are really focused on creating the best solution for social/economic/computing progress, and if they were, it would still be impossible to get others on board. So that's the real problem. Unwillingness to create standards.
I completely agree with this - and it gets even worse: who gets trusted? SSO works in a corporate Windows domain because the answer to "who gets trusted" is "the company's internal systems...and it's the company's data anyway." Logging into the company's AD/Exchange/Sharepoint is just fine, because the systems authenticating stuff and the systems storing stuff are effectively the same.
Now on the greater internet, who do we trust? I have a friend who trusts Apple with basically everything, a friend who trusts Google with literally everything, a friend who trusts Microsoft with more of everything than not, and me, who trusts my own systems and no one else's. You own Nine-Times.com, a vBulletin forum for cat enthusiasts. You trust Google and Apple, but not Microsoft. two friends can SSO in, the other two of us can make internal accounts for the forum. Google friend owns androidfanbois.com, another vBulletin site. He allows Google's SSO. Three of us need accounts now.
So, we then do something like the US Federal Government having a standardized "internet identity", available to anyone who wants it. Well, we can forego corporate fanaticism this way, but now we've legislated digital identities and said goodbye to even the illusion of anonymity, and have a digital treasure trove of data for not only hackers and identity thieves (do you REALLY think the federal government is going to have bulletproof security on this thing?), but now you tell me that the NSA isn't tapping all of *that* "metadata", and I've got a password storage device for you. More to the point, if you google 'voyager529', you will indeed see my photo in the very first set of image results, and have a pretty good idea of who I am and what I do. I have a completely separate digital identity that is *not* tied to 'voyager529' in any sense.If the federal government gets in the online identity business, I sincerely doubt I'd get two.
We've eliminated corporate, and we've eliminated government, which leaves us with two obviously-even-worse options: self-signing and crowdsourcing. Self-signing gives us no real concept of who the person is, which is why Usenet devolved into the spam garden it is today. Requiring X number of people already joined to a website to validate that you are who you say you are turns logging into stuff into a popularity contest.
Passwords get stuck to monitors and under keyboards. Password managers are treasure troves to compromise and aren't cross compliant. Possession-based authentication (RFID card, NFC/Cell phone, etc.) makes losing your wallet ten times worse and you still need an issuing authority to oversee unique cards tied to a particular human. Biometrics are nice, but cross-device biometrics still have the problems of password managers, and having all ten fingers enrolled is a good idea, because one lapse in tomato slicing safety precautions and you won't be accessing your Gmail for a week.
No matter how we slice it, "proving that a person is the correct person on the internet" is a problem inherently tied to the problems that 1.) one's authentication MUST be represented as data, and 2.) computers, by design, perfectly replicate data VERY efficiently. Adhering to the first requirement while preventing the second is a problem whose solution will revolutionize computing again.