[lbo-talk] Internet accounts

Jordan Hayes jmhayes at j-o-r-d-a-n.com
Fri Mar 23 08:15:17 PDT 2012


Wojtek asks:


> Why do not they implement a solution that is similar to what
> most people use in their homes - a key.

There are two answers to this question; the first, a technical one, is that a key is no better than a password. You can rank authentication schemes in terms of how many of the various kinds of mechanisms are involved:

- Somthing you know (like a password) - Something you have (like a key/card) - Something you are (fingerprint, retinal scan)

A determined adversary can beat your authentication policy if you only use one of these; it's harder if you use two; hardest of all is if you use three. In the case of a physical key, I can beat you if I can replicate your key, or obviate the need for using your key. There's not a physical key made on the market to day that would keep your home safe from a reasonably skilled lock-picker.


> Why not using, say, a USB memory stick with necessary encryption
> that stores all password and credentials and provides them to
> applications that need it?

The second answer is that these things are available, but the standardization that would have to occur isn't on anyone's TODO list. Think of how you hate all those different passwords; now think of all the different ways they try to get you to "log in" ... we're living in a world where "key hole" is not a standard feature. And it's getting worse: "keyless" car entry systems means you no longer have a key. You might have a keypad now!

eBay and PayPal (and others) can provide a 2nd authentication level ("something you have" above), but again: it's not a standard way of doing things.

/jordan



More information about the lbo-talk mailing list