[Cryptography] On mobile passwordless logins and established technologies

Lodewijk andré de la porte l at odewijk.nl
Tue Mar 25 21:27:48 EDT 2014

I'm just waiting for the deterministic secret. That way I can regenerate my
secret at any time, anywhere!

This exposes a fundamental useability thingy. People like to carry their
identity in their brains. It gives me the jeepers thinking I'd forget my
password, but theft worries me at least as much. If I lose my brain you can
pretty much shoot me (or I'll become a rockstar or something), if I lose my
phone I just buy a new one (how terribly first world of me).

Also having the same certificate is not ideal.

Having a bluetooth like pairing thingy where you keep on pairing your new
device with old ones could generate a little network of trust. You could
extend this to a government override, as the government still has the final
say on who's who. If you feel icky yet, that's because you realized how
easy it is for crypto to be defiled by real world situations. Anyway, your
"base certificate" could be deterministic, and never stored anywhere.

That way what's in your brain is the root certificate. All the rest is just
a paired device. Paired to the crypto in your brain.

A blockchainish approach would be required to definitely unlicense a
certain device. In fact namecoin is an ideal candidate for registering and
deauthorizing such public identities. Then a police report could
effectively de-auth and that would solve the problem when someone forgot
his deterministic source key (dummy!).

Alternatively an implanted chip or even just a portable digipassport-device
could be distributed by a company. Even better would be a chorus of
companies with a shamir's secret sharing like arangement, but let's not get
into policies before the tech is laid out!

To bootstrap this mechanism a LastPass like software (company) will bridge
the situation until it becomes commonplace to have fancy-pants-no-password
authentication. Maybe a little pincode would unlock the device for high-sec
thingies and every week or so (also to help the memory ;).

Once the policies are worked out (whatever they might become) this will
beat the password once and forever. Devices will be auth tokens, disabling
them will be like disabling a credit card.

Measure must be implemented to prevent central control over identity itself.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140326/796f6029/attachment.html>

More information about the cryptography mailing list