Google's Ben Laurie proposes using “functions of passwords” rather than plain passwords as a way to avoid phishing:
Kim Cameron writes about fixing OpenID’s phishing problems by using Cardspace. Certainly I agree that using strong authentication to the OpenID provider fixes the phishing problem – but if you have strong authentication, why bother to use OpenID at all? Why not strongly authenticate to the site you are really trying to log into, instead?
Of course, Cardspace is a pretty heavyweight solution for this, so perhaps that’s what Kim’s getting at? It also doesn’t work well if you have more than one machine – moving your credentials around is not something Cardspace does well.
In my view, there’s a sweeter spot for solving this problem than Cardspace (or OpenID, obviously) – and that is to do strong authentication based purely on a password. That way, you can use the same password everywhere, so no problem with moving between machines, but can still resist phishing attacks and don’t have to make yourself linkable across all sites. Obviously supporting this would be way easier than taking the whole of Cardspace on board, but would have all of the immediate advantages. Clearly it would get you nowhere with advanced identity management, but its not like we don’t already have protocols for that and nor does there seem to be much demand for it yet.
I take it Ben is talking about having a toolbar that asks for your password, and transforms it based on the site's identity so you can use the same password everywhere. Perhaps he is even thinking about a digest protocol where this transformed password would be used to calculate a “proof” rather than transported over the wire.
Phished or Pharmed
Problem is, such a toolbar is as easily “pharmable” as OpenID is phishable.
How does a user know she is typing her password into the legitimate toolbar – rather than an “evil replica”? Our experience with toolbars teaches us that is easy to trick a LOT of people into using fakes. In fact, sometimes the fakes have propagated faster than the real thing! Once people get used to typing passwords into a toolbar you have truly opened Pandora's Box.
Let's look at what happens when the kind of “common password” Ben proposes is stolen. In fact, let's compare it to having money stolen.
If you go into a store and are short-changed, you just lose money in one store. If you are pick pocketed, you just lose what's in your wallet – you can cancel your cards. But if your “common password” is intercepted, it is as though you have lost money in ALL the stores you have been in. And sadly, you will have lost a lot more than money.
The ultimate advantage of moving beyond passwords is that there is then NO WAY a user can inadvertantly give them away.
Is CardSpace too heavy-weight?
CardSpace should be a lighter-weight experience than it is today. We're working on that, making it less “in-your-face” while actually increasing its safety. I also agree with Ben that it needs to be easier to roam credentials. We're working on that too.
The point is, let's evolve CardSpace – and the interoperable software being developed by others – to whatever is needed to really solve the relevant privacy and security problems, rather than introducing more half-measures that won't be effective.
So why OpenID?
If that's all true, Ben wonders why we bother with OpenID at all…
The most important reason is that OpenID gives us common identifiers for public personas that we can use across multiple web sites – and a way to prove that we really own them.
That is huge. Gigantic. Compare it to the cacophony of “screen-names” we have today – screen-names in bondage, prisoners of each site.
Technology people are sometimes insulted when you imply they haven't solved the world's problems. But to be really important, OpenID doesn't have to solve the world's problems. It just has to do this one common-identifier thing really well. And it does. That's what I love about it.
CardSpace doesn't address the same problem. CardSpace plus OpenID solve it together.