Brad Ideas - Authenticated actions as an alternative to login - Comments

Why complicated?

brad — Fri, 10 Jul 2009 13:35:56 -0700

I don’t understand this criticism at all. While it does require that you go through the ID creation regime (on your own computer) it is vastly simpler. Consider the two methods.

Today, if you go to a new blog of the sort that wants you to have an ID to post a comment (I am becoming more unusual in that) the process is:

Click on create user
Fill in various fields, at a minimum a username, email address (sometimes the same) and password
Click submit
Load your E-mail, and check your inbox
Read email from blog, look for link in it. Click or cut and past link
Return to comment page, where you may now have to login with your new ID and password.
Tell browser to remember password
Write your comment
Click post

What I propose looks like this:

Write your comment
Click “Post as Brad” button.

How can you say this is more complex? Yes, you did have to install a browser add-on and go through an identity creation process like the one above, but you did it only once, some time ago.

Sounds complicated. Your

Satya — Fri, 10 Jul 2009 07:17:38 -0700

Sounds complicated. Your average user is barely able to type in their username, move the mouse to the password field, type in the password, move the mouse to the login button, and double-click it.

I'm all for better auths, but if it ain't simple it ain't gonna be used.

Spending money

brad — Fri, 12 Jun 2009 11:50:01 -0700

I agree that for things like spending sums of money from the bank you want stronger levels of authentication, including the ability to use a more trusted device like the cell phone instead of an untrusted computer. (Though this could hurt you if you are on a trip somewhere you can’t get cell service and you have an urgent need to transfer money!)

I think the greatest use of authenticated actions is more casual activity. Like posting a comment. Today, on so many sites (not this one) if you want to post a commment, it involves things like registering for an account, confirming in an email, etc. Even at sites that have tried to fix that problem it involves logging in to something, be it typekey or an account on the site, or facebook auth or whatever. Or entering an OpenID URL, at the few sites that use OpenID the way it was intended.

They key thing to what I propose is that you be able to do things on the web with one action, at least more casual things. So “Post a message as ” becomes something you can do at any site (that supports it) with one click, as though you were registered and logged in. The key thing is that it is still an explicit action, so you are not offering up who you are to every web site you visit (as they would all start spamming you.)

I really like the online

CK — Fri, 12 Jun 2009 00:56:34 -0700

I really like the online protection system of my bank. Everytime time you want to do something to do with cash it sends a 8 charecter password to your registered cell phone. You need to enter this password before doing anything. I think combaning different technologies is the best way of protection in online banking.

Authenticated actions as an alternative to login

brad — Wed, 10 Jun 2009 16:58:56 -0700

The usual approach to authentication online is the “login” approach — you enter userid and password, and for some “session” your actions are authenticated. (Sometimes special actions require re-authentication, which is something my bank does on things like cash transfers.) This is so widespread that all browsers will now remember all your passwords for you, and systems like OpenID have arise to provide “universal sign on,” though to only modest acceptance.

Another approach which security people have been trying to push for some time is authentication via digital signature and certificate. Your browser is able, at any time, to prove who you are, either for special events (including logins) or all the time. In theory these tools are present in browsers but they are barely used. Login has been popular because it always works, even if it has a lot of problems with how it’s been implemented. In addition, for privacy reasons, it is important your browser not identify you all the time by default. You must decide you want to be identified to any given web site.

I wrote earlier about the desire for more casual athentication for things like casual comments on message boards, where creating an account is a burden and even use of a universal login can be a burden.

I believe an answer to some of the problems can come from developing a system of authenticated actions rather than always authenticating sessions. Creating a session (ie. login) can be just one of a range of authenticated actions, or AuthAct.

To do this, we would adapt HTML actions (such as submit buttons on forms) so that they could say, “This action requires the following authentication.” This would tell the browser that if the user is going to click on the button, their action will be authenticated and probably provide some identity information. In turn, the button would be modified by the browser to make it clear that the action is authenticated.

An example might clarify things. Say you have a blog post like this with a comment form. Right now the button below you says “Post Comment.” On many pages, you could not post a comment without logging in first, or, as on this site, you may have to fill other fields in to post the comment.

In this system, the web form would indicate that posting a comment is something that requires some level of authentication or identity. This might be an account on the site. It might be an account in a universal account system (like a single sign-on system). It might just be a request for identity.

Your browser would understand that, and change the button to say, “Post Comment (as BradT).” The button would be specially highlighted to show the action will be authenticated. There might be a selection box in the button, so you can pick different actions, such as posting with different identities or different styles of identification. Thus it might offer choices like “as BradT” or “anonymously” or “with pseudonym XXX” where that might be a unique pseudonym for the site in question.

Now you could think of this as meaning “Login as BradT, and then post the comment” but in fact it would be all one action, one press. In this case, if BradT is an account in a universal sign-on system, the site in question may never have seen that identity before, and won’t, until you push the submit button. While the site could remember you with a cookie (unless you block that) or based on your IP for the next short while (which you can’t block) the reality is there is no need for it to do that. All your actions on the site can be statelessly authenticated, with no change in your actions, but a bit of a change in what is displayed. Your browser could enforce this, by converting all cookies to session cookies if AuthAct is in use.

Note that the first time you use this method on a site, the box would say “Choose identity” and it would be necessary for you to click and get a menu of identities, even if you only have one. This is because a there are always tools that try to fake you out and make you press buttons without you knowing it, by taking control of the mouse or covering the buttons with graphics that skip out of the way — there are many tricks. The first handover of identity requires explicit action. It is almost as big an event as creating an account, though not quite that significant.

You could also view the action as, “Use the account BradT, creating it if necessary, and under that name post the comment.” So a single posting would establish your ID and use it, as though the site doesn’t require userids at all.