Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] eliminating passwords



Elsewhere today there was a thread mentioning StarSSL. They take an
interesting approach to site security. They don't use passwords. As part
of the process of getting your SSL certificate, they generate a
client-side SSL certificate that you install in your browser.
Thereafter, when you visit the StarSSL site over an SSL connection, it
knows exactly who you are via PKI key exchange, and has no need for
passwords.

This tech has been built into browsers for decades, and is something
banking and other high risk sites could have adopted to significantly
improve their security. (You can't phish a user's password if they never
enter it.) It does require a little but of setup, but the process could
easily be made smoother, and pales in comparison to the cat herding task
of making average consumers use password managers and generate strong
random passwords.

The big down side to the tech is that it isn't machine portable. At
least not easily. If you are inclined to login to your bank from your
tablet, in addition to your desktop, you'd have to repeat some sort of
an authentication process, or otherwise figure out how to get your
client key moved over there.

Far from a perfect solution, but its cheaper and a better user
experience than two-factor.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org