Yet another item for my wishlist
I have too many user IDs and passwords to remember—and I’m required to use too many different IDs and passwords over the course of just a single day. I desperately want a simplified way of gaining access to password-protected online and real-world venues. And I would like that method to be more secure than the present means of typing in my ID and password online, or using a variety of PINs at various cash registers.
Would someone please develop—and make ubiquitous (otherwise, what’s the point?)—a simplified, universal, and secure access key?
Such an access key might use fairly arcane technology, like retina matching—or it might be something as ordinary as fingerprint recognition. But whatever it is, it’s got to be simple, universal, and secure. Let’s call this Simplified, Universal, Secure Access Key a “SUSAK.”
The SUSAK of my dreams
Online, I would like to be able to do something as simple—and at the same time, as secure—as touching a little SUSAK pad on my keyboard to get into my accounts at stores, or at my bank, or at a publication for which I write a guest column. In the physical world, I’d also like to just touch a pad to login to my computer, or to perform secure, authenticated transactions at an ATM, or the grocery store, or any other place where security and identity validation are required or desired.
Does this present a problem for those who are disabled? Yes (and I am one such, partly disabled by muliple sclerosis). However, for many disabled individuals, other current technologies are equally problematic (e.g., typing on a keyboard, signing a credit-card receipt, and so forth). So for the purpose of this thought experiment, let’s just posit a non-disabled world and imagine a truly Simplified, Universal, Secure Access Key. Wouldn’t it make life a lot easier?
Let’s take this idea a little further, shall we? It would also be useful to combine a SUSAK with something like the technology developed by Clickshare, way back in ~1995, for “one-click shopping across the Web.” In a case like that, I would sign up one time as a member of a (consumer-oriented) Clickshare-like entity, and thenceforth, I would simply press the SUSAK pad just once per session—on any computer, anywhere—to securely validate my access everywhere. Voila: simple and secure purchasing, publishing, or any other transactions that require the assurance of my identity.
Setting aside for the moment the fact that I’m also waiting for some sort of “universal user interface” (UUI)—at least on computers, though a UUI in many other interfaces would be nice, too (think about cell phones!)—I really want to streamline my life with a SUSAK. If you’re working on one, please talk to me. I’d be happy to beta test any reputable effort!
*sigh* A wish list never seems to go away, does it? Every time one wish is fulfilled, three others pop up to take its place. But that’s a whole ‘nother topic, perhaps for another day . . .
I gather that the SUSAK is a physical something that I can carry around that will Automagically (Reg. Penna. Dept. Agr) get me into all my stuff. Interesting and clearly needed — but as described (understood by me) not good enough, imho. Such systems have to be based on “something you have and something you know.” I would fear total ruin if anyone were to abscond with my SUSAK because it would be the “open Sesame” to my entire world. For a better example, Security Dynamics Inc’s SecurID(tm) token is a step in this direction — but it only works on systems where its server is installed rather than generically. It contains a clock and a 10-digit keypad. Every N seconds the clock ticks and generates a reliably random M-digit number. The carrier waits till the number is “new” (there’s a countdown timer showing its longevity) and then (using the keypad on the card) types in his/her P-digit memorized token. The card somehow convolves the token with the displayed digit, which serves as the pwd to be used to enter the server-protected system. The card’s useless in the hands of someone who doesn’t know the memorized token, and anyone who scratches their token onto the card must be SHOT. Even with the token in mind, of course, it’s only good for those systems where the server lives.
The technology I’ve described is about 2 decades old, and I just saw that Deb’s VPN uses a SW equivalent to the card (her company just gave her a PC to work remotely). Anyhoo it’s a reasonable assumption that they’ve tried to universalize this thingie. WiFi would be a reasonable hookup methinks… for as long as WiFi lasts, thattiz.
Another roadblock to something universal is the plethora of imitators your SUSAK would spawn. Examples of this sort of non-universality are the different types of plastic credit cards and the thundering herd of pay-over-the-Internet guarantee companies. The back-end stuff to keep all this in synch is way beyond my ability to even describe. It’s gotta be patentable and two heads and three shoulders better than the competition. In short, sorry to say, but imho — Hell, meet Freezing Over.
Hi, DrDan - and welcome aboard! Not long after I wrote that post, I wandered over to Slashdot, looking for something by Our Mutual Friend KAD. While there, I ran across a recent (08-03-14) discussion (posted, as it happens, by OMF) of fingerprint-recognition technology, as used in a USB stick. Those writers also had a generally negative view on the current state of it.
But I’ll just keep wishin’…
Still musing. To respond to your first assumption (that the SUSAK is something one carries around): No. Your fingerprint/retina/whatever is what you “carry around.” The sensor pad is just that: a pad at any cash register, keyboard, or any other place where one wants to perform a secure transaction—whether it’s buying groceries or (heh) adding an authenticated comment to someone’s blog.
But Yes, whatever-it-is, it must be server-based—else how would I be able to present my finger/eyeball/whatever to a sensor pad anywhere to gain access?
And yes, universality could be Hard: That’s one of the many reasons this is still on my wish list. Fingerprints can be forged in too many ways; retinas are better but (currently) present their own difficulties. A memorized token in a scheme such as you describe would probably be a better approach (but ohhhh the pain of memorizing a random letters-and-numerals token that would be long enough to allow one unique token for every human everywhere, now and into the foreseeable future—and to allow the assignment of newly-generated tokens whenever individuals’ tokens are stolen or hacked). And does that start sounding scarily like a global Citizen ID?
A technology like Clickshare’s is what would make access easy for online consumers: You would type in your token once (let’s say, at the beginning of a multi-store shopping spree, or a flamewar across several secure sites), and any online organization that subscribes to Clickshare would then automagically and securely approve your access. That’s the piece that any number of techno-companies would scramble to patent and make The Standard theirownselves, and that consumer-facing organizations would (eventually) scramble to subscribe to.
Still wishin’!