Keys, Locks & Cheap-Ass USB Drives : A Path To Internet Identity Salvation?

Last week I whined on about how OpenID is a great invention that most people aren’t going to get their heads around. I asserted that the big problem was that unlike inventions like email, people don’t have a familiar metaphor to work against. The label of "curmudgeon" has been leveled against me in the past. So in the spirit of constructive dialogue, I’m going to humbly put forth an approach to make centralized identity a little bit easier on the Internet.

Let’s See, What Do We Have In The Metaphor Box…

800px-Keys Looking around us, there are a few things we carry around that help us function on the actual (not virtual) world. A driver’s license. Some credit cards. A bank card. A passport. Our house keys. Our car keys. All of these have a bit of our identity implicit in them. They help you get into places nobody else is supposed to get into: your house. Your bank account. Your car.

People are comfortable with walking around with something that helps them get to their stuff and stops others from getting to their stuff. The lock & key metaphor is a powerful and pervasive one.

Now If We Only Had The Internet’s Version Of A Lock & Key…

31FVaSa-aAL._AA280_What you need is a way to easily walk up to any computer and identify yourself quickly and easily. No logins. No nothing. We need a simple easy way to identify ourselves. At ATM machines we just swipe a card. When we get home we just insert a key and turn. Why not for computers and the Internet? What would it require? To start, it would require a  key and lock be build into every machine. Well it turns out we do and it’s called USB. Let’s walk through an imaginary use case:

  1. Jane heads over to her friend Sally’s house to hang out for awhile.
  2. She kindly asks Sally to user her PC to check her mail and see what’s going on at Facebook.
  3. Jane takes out her USB key dangling off her key chain and plugs it into Sally’s computer.
  4. Immediately, Jane is asked to put in her password just once.
  5. As soon as Jane puts in her password, the status bar in Internet Explorer identifies Jane as the current user.
  6. Everywhere Jane goes on the Internet, the various applications know its her. Even when she signs up to new destinations, her data is ready to go.
  7. Once Jane is done, she yanks out her USB key. As soon as she does so, she’s immediately no longer logged in anywhere.

91d0161a-f8aa-4c38-93c7-84a90c838c2c_300That’s it. It’s pretty simple…and I actually think my mom can get it. No offense to mom, but she’s a great measuring stick here. USB drives are damn cheap and every desktop and laptop on earth has the "keyholes" to receive all the keys out there. No more signing onto comment threads in blogs. No more hassles with 35 accounts we have floating around. It’s the promise of unified authentication packaged in a way that actually makes sense to the masses.

I’m not going to get into implementation in this post. I’m sure the technologists can get their wheels spinning pretty quickly around an approach like this. The browser (or desktop) would obviously need to be smarter (Firefox plugin?). And OpenID? This can all still happen with OpenID. In fact, that little USB drive could carry a mini OpenID server just for you…or link up to one in the cloud.

Now where the hell did I leave my keys…

6 Comments Keys, Locks & Cheap-Ass USB Drives : A Path To Internet Identity Salvation?

  1. John Elliott

    Richard,
    I would like to think that children of the future will stand aghast when we describe the internet before ID standardization/unification. The current paradigm is so engrained into our gray matter that it’s almost difficult to imagine something as turn-key (haha) as is you described above.
    Cell phones are an example of a technology that has spring up (relatively) quickly that allows us to boldly charge through our day, changing our plans and gathering information at the last second. It’s very liberating and allows for the blistering pace of modern life which. Sometimes I wish we could go back.
    In the same way, I share your optimism about what OpenID could do for the web, it’s even hard to get my head around the potential benefit even with the physical key concept in mind.

    Reply
  2. Ryan M

    I love the idea and the introduction of a familiar analogy.
    However, at first glance there seems to be a glaring flaw. If I lose my house key and a person of ill repute finds it, they will have to figure out where the heck my house is before they can steal anything from me. It’s just not worth going from house to house and hoping they win the jackpot. On the other hand, if I lose my “id key” (USB drive), my “house” is anywhere a USB port exists. Granted, your idea includes a master password, but passwords are hackable.
    Perhaps I’m missing something?

    Reply
  3. Richard Ziade

    I’m not a security expert by any means, but I believe there are ways to store passwords in a state that is unhackable…I think.
    Anyone knowledgeable in hashing passwords wanna chime in?

    Reply
  4. Chris D

    A hash isn’t what you’d want here, what you’d probably want it some serious encryption.
    The first thing that comes to mind is something like TrueCrypt ( http://en.wikipedia.org/wiki/TrueCrypt ), which can encrypt a filesystem (I.E. the USB key) nicely and securely, and where there can be conceivably multiple passwords. It can use a variety of different strong encryption methods (AES, Twofish and Serpent).
    I guess the main issue Ryan is bringing up is the ‘passwords are guessable’ one. We could impose requirements that make it too difficult for todays computers to crack, or we could (for ‘enhanced’ versions) provide some thumb print authentication directly on the USB stick.
    Either way I think the thing to take away is that this solution would still be more secure than today’s solution of just having guessable passwords.

    Reply
  5. Martin Belam

    I pretty much do what Jane does already. I have to work in Internet Cafes a lot, since I am bandwidth compromised at home, and I have a USB key with portable versions of Firefox, GIMP, Notepad++, WinSCP and Putty on it. Any machine I plug it into, by running those versions I access a profile local to the USB, so am logged in where necessary, and have my own home office set-up on the move.

    Reply
  6. Robert Robles

    Ok instead of encrypting with a password put a fingerprint swiper on the drive.
    No need to remember the password and no way to hack the password if its never there.
    And if you lose it you could always report it missing and your account gets shut down just like credit cards and phones.
    Or instead of having to carry it around you can make an embeded microchip and it works off of proximity to the computers so it will “know” that its you.
    Then you can impliment the password theme there.
    So you have to be there then enter your password or however it may be done.

    Reply

Leave a Reply to Chris D Cancel reply

Your email address will not be published. Required fields are marked *