Pamela Dingle tells you to brace yourself, we are at the end of era of general computing and at the beginning of an era of, well, something else (emphasis added):
The end of the general computing era that Pamela postulates is one of two possible outcomes that Dan Geer explored in his essay in ACM a few years back called Playing For Keeps.I believe that what Apple releases next week will herald the end of broad adoption of general computing devices. The introduction of their tablet will begin in earnest a trend towards tightly integrated, tightly controlled sealed-hardware computer devices that allow the majority of the population to accomplish the most popular computing tasks without doing anything more than visiting the app store. Not as your “mobile” computing solution by the way — as your only computing solution.
Why wouldn’t the world move in this direction? Why shouldn’t your computer be as easy to use as your smartphone? Why fiddle with drivers and desktops and operating systems if all you ever do is surf the web and send email to your grandchildren? Even if you want more than the basics, why go through long and complicated application installs when you can just click a button?
This is the future, and those of us in industries like identity management had better stop and pause right now, because per-application passwords have no place in the world of the app store. They are difficult to type on a touchscreen, and inconvenient in exactly the way that the new push-button paradigm seeks to overcome. This could be the best thing — or the worst thing to happen to those of us working on protocols which replace password storage.
There is no doubt that passwords *will* be hidden from the user from now on. In the same way that nobody types a telephone number into their phone anymore (they just use Contacts), nobody will type a username or a password. Heck, they won’t even type the URL of the service. Details will be hidden, the pain taken away. We have a small window in time to affect the way in which that happens, before users forget what it was like to have to figure out which user name went with which password and which site...
But, you say – it’s just mobile. What really matters is the desktop. I say you’re wrong. I say that the ubiquity of the smartphone is coming to a desktop near you
If you look at Dan's two possible outcomes - a) surveillance or b) XBox style non general purpose computing, there is a third outcome which is both. We see from Pamela's that some computing vendors appear to be moving aggressively towards option B, my guess is that given recent Google-China events highlight that we'll also see other actors moving to option A, so there are major, different forces moving for each options, its not so much a Geek-Spook showdown, but it could be worst of both worldsWe digerati have given the world fast, free, open transmission to anyone from anyone, and we've handed them a general-purpose device with so many layers of complexity that there is no one who understands it all. Because “you're on your own” won't fly politically, something has to change. Since you don't have to block transmission in order to surveil it, and since general-purpose capabilities in computers are lost on the vast majority of those who use them, the beneficiaries of protection will likely consider surveillance and appliances to be an improvement over risk and complexity. From where they sit, this is true and normal.
While the readers of Queue may well appreciate that driving is much more real with a centrifugal advance and a stick shift, try and sell that to the mass market. The general-purpose computer must die or we must put everything under surveillance. Either option is ugly, but “all of the above” would be lights-out for people like me, people like you, people like us. We're playing for keeps now.
I can't help but think of a per-device type of authentication such as that used in DRM. Of course in DRM, it's the provider that's being protected. But there is also authentication. My device can read this eBook file but your device can't, for example. This is essentially used in the e-commerce side of the Kindle as well. We know it's me because it's my Kindle calling. This is the approach I would expect for this "new paradigm."
Of course, this is positive identification and privacy should be a big concern.
If an e-commerce site can have access to it, any site can. And if it all has to flow through a limited set of channels, then whoever owns those channels knows who exactly is doing what exactly.
You could limit the ability for a site to challenge, but this should lead to questions about net neutrality or an open web versus closed.
If we let some group decide what is a legitimate site that can challenge for this strong authentication, then established giants could start to bar entrance for their competition. Of course, a per challenge fee could have the same effect.
So hooray, username and password are dead! Alas, privacy will be a huge problem!
Posted by: Slonob | January 25, 2010 at 02:03 PM