In the session on authentication without passwords (beyond passwords) put, Lisa Dusseault made the assertions (with some help from the room):
- Existing browsers do not succeed in verifying site identity to users
- HTML forms for login considered harmful.
- Browser-based third-party identity systems habituate user to redirect to enter their password (task fixation). When you catch someone in the middle of doing something, they will plow through all kinds of barriers to "get the job done." Current password redirection schemes (most of them) redirect users to authenticate.
- Any password-based system is vulnerable to password phishing attacks. Once you've given up the password it's gone. Most users share passwords. Sometimes for legitimate reasons. Certificates are little better.
- Subverting a leveraged identity is more attractive. There has to be some balance between convenience and single sign-on. I made the point that our physical wallets are a model here. Jim Harper's book is instructive here.
- Restoring integrity and reputation is expensive. It's usually easier for crackers to adapt to our defenses that it is for us to adapt to their attacks.
Some design points:
- Bits on the wire should be temporal
- Consistent user interface
- Spoof resistant interface
- Verify site before releasing identity information
- Portability (kiosk access)
- Make insider attacks difficult
- Allow multiple credentials
- Consistent and seamless lifecycle of credentials and keys
We got into a big discussion of why PKI could or couldn't be fixed.