[tilsammans]

Passwords are broken and I really wish we would all move away from them. Persona is a nice idea with regards to privacy and control, but it's still a password that you need to remember, which can be cracked. Also, people generally don't use strong passwords.

What irks me is that every OS in use today has support for strong cryptography and browser vendors could easily integrate that. We would no longer register for a website, we would simply upload our "Online Identity" or whatever we called it. This of course is just an id_rsa.pub with maybe name and email in the comment. The remote site stores the public key and the browser authenticates using the private key, stored securely in the keychain.

This has the potential to be invisible to users, and thus used by default, and highly secure since the local keychain can generate incredibly strong keys, all behind the scenes.

[StavrosK]

Persona doesn't require a password. You could authenticate with an SSL certificate, a Yubikey or whatever else you want. I wrote my own, hosted identity provider (https://www.persowna.net/) which includes 2FA now, and I plan to add more of these types of authentication in the future.

[zokier]

> What irks me is that every OS in use today has support for strong cryptography and browser vendors could easily integrate that. We would no longer register for a website, we would simply upload our "Online Identity" or whatever we called it. This of course is just an id_rsa.pub with maybe name and email in the comment. The remote site stores the public key and the browser authenticates using the private key, stored securely in the keychain.

Like SSL client certificates?

[stevenjgarner]

I agree. Do we have to leave this initiative up to the browser developers though? As a website developer why can't I just replace the traditional password form field with a textarea form field, requiring the user to copy and paste their RSA private key (for my site) into the field, which would then be validated against their public key kept in the website user table? For additional security the private/public key pair could also be password locked. As long as my site(s) are using SSL, and other best practices, isn't the biggest risk one of the user losing their private key or having nefarious hands otherwise getting a hold of it?

[hvidgaard]

And how do you access your identity from a device that isn't your own?

I'm 100% with you, it would be a major step forward - but it's too inflexible for Joe & Jane.

[maxerickson]

I wouldn't mind it if I had to have my phone to access the identity. It would be a simple matter of integration to use the phone to grant a temporary authorization to an unknown device.

[xerophtye]

and also it kinda destroys the ubiquity of the service. you have to admit, the ability to access your account from any device anywhere is pretty cool (and very critical in some cases)

[hvidgaard]

It certainly is a difficult sell to the average user. For most Internet Banking, it's already implemented, but try to get users to accept that when using Facebook or access to their mail.

In Denmark we have a public system called "NemID". It is a 2-factor authentication, which relies on a card with one-time codes, or eventually, a physical key-generator. It is used to anything related to Internet Banking or access to the public services on the internet, such as application for university, change in tax return, and the like. Unless you can incorporate such a system, which ensure that most uses already have the needed physical token, I not convinced you can pull it off.