[Cryptography] On the deployment of client-side certs

[Jerry Leichter]

> I've been a big fan of FIDO for the past two years and I've really wanted to support U2F tokens specifically for the real-world analogy to keys, but I don't think it's really practical for everyone to buy a U2F token. I would love to see everyone using hardware tokens this way, but I just don't see it happening.
> 
> That said, another FIDO standard, UAF, should enable smartphones to work as cryptographic authentication tokens. I think this approach is much more practical.
The issue is entirely one of UI and interaction design.  No one has come up with a compelling presentation for a hardware authentication device - one that most people will find to have a usefulness/inconvenience ratio that's high enough to justify using it all the time.

Using a smartphone piggy-backs on the value of the smartphone, which is high enough to get hundreds of millions of people to carry it along.  But that's just the hardware.  What's the interaction model to use the phone as an authentication/authorization device?  Contrast the steps needed to use Apple Pay with the steps needed to use some of the attempted competition.  That's why Apple Pay is leading.  This is exactly one of Apple's greatest strengths:  Designing user interaction models that people find so simple to learn and use that they don't even think about them - they just fit them into their daily lives.  No one does that better than Apple - but even so Apple Pay has a long way to go to reach universality.

Are watches, in some form, a better alternative?  Rings?  Something entirely different that no one has even built yet?  If future interfaces are heavy on Augmented Reality ... where/how should authentication devices fit in?

Ten years from now, we'll look back at all of today's solutions and marvel and how primitive and clunky they all appear....
                                                        -- Jerry