Logins to the web today generally consists either of a username/password pair or an email address and password. This has to change. The reason is simple, people don’t select good passwords and even if they do they re-use them on multiple web pages meaning that a sysadmin of some site may know your password to other sites or by accident get hacked or a multitude of other things can happen to it.
Emails for usernames are inherently bad. First of all someone wanting to break in would not even have to guess your login credentials, only your password. Also, people tend to use things like webmail for their email today which means that anyone running that system can use credentials to log on as someone else.
Most services can reset their password if you know someones mail. It’s so easy to sneak in to a colleagues computer and use a password reset, then fetch a new password, delete the mail, go to another computer log in and change the email address for the reset. The first user stands little chance to get it back ever again.
We are starting to see logins based on your facebook account or google accounts or even Yahoo! although their services are getting more scarce every day, but that is at least a step in the right direction — that is if you have at least a two-factor authentication method turned on (google supports this) it can be reasonably safe. Nothing is a hundred percent and may not need to be, resonably safe is good enough here.
But that relies on a third party service which makes you vulnerable if it should be offline. Or if your account gets cancelled for whatever reason, even just a mistake, your screwed and may not even be able to log in to your email to send a complaint.
There has to be a better way!
We have already seen some things. There are web login systems out there that displays a challenge to your phone which then sends a response using a local encryption key. Clever but if your phone does not have network it won’t work very well. There are other similar things that are built around a sound or light show and QR codes or whatnot that you scan with your smartphone.
But all this relies on advanced hardware that may be out of battery, no connection to the network or if you are roaming you may not WANT to connect it to the operator network for data traffic because of the immense roaming charges on data.
There has to be a better way!
In fact, the solution is pretty easy. We can use standard every day public key encryption methods to make this work pretty well. Similar to what we do with SSL but without the fuzz and in a way that a registered user can identify himself using private key signing of a login certificate.
The certificate is issued by the web site when you register. It is encrypted with your public key so only you can decipher it. When you log in you encrypt the same certificate with the web site’s public key and then only they can verify your authenticity. You also sign it with your private key so the web site can verify that your key is valid still.
All this needs is a pen drive and some open source software.
It’s time to build a better login method for the web. It’s time to make it easy. Keys can be stored on a thumb drive, in your phone or even on your own computers. No need for a third party service. Losing a key means a revocation certificate is sent and your old key is no longer valid a new one needs to be provided.
When do we build it?