Given his latest post, I guess I got the gist of Ben Laurie's proposal for using what I'll call “Single Passwords” rather than “Single Signon”:
“Kim Cameron, bless him, manages to interpret one of my most diabolical hungover bits of prose ever. I am totally with him on the problem of pharming, but the reality is that the average Cardspace user authenticated with nothing better than a password (when they logged into Windows).
Wow. I appreciate the blessing from Father Laurie, but this is kind of a “We're going to die one day, so who cares if we die tomorrow?” type of argument – surprising for a priest.
While it's true that pharming is a challenge for the operating system as well as the browser, let's not seriously equate the dangers of entering passwords into browsers (a malleable experience, the goal of which is to be infinitely and easily modified by anyone) with those involved in booting up your PC (a highly controlled environment designed to allow no modification and use a secure desktop). It's true that both involve passwords. But the equation is simplistic, best summed up as: “Tables have legs, people have legs, therefore tables are people.”
Anyway, I'm sympathetic to Ben's concerns about portability:
“Furthermore, if you are going to achieve portability of credentials, then you can either do it in dreamland, where all users carry around their oh-so-totally-secure bluetooth credential device, or you can do it in the real world, where credentials will be retrieved from an online store secured by a password.
I don't dismiss dreamland – isn't that what iPhones want to be? But we do need lightweight roaming. Using an online vault secured by a passphrase is a reasonable way to bootstrap a secret onto a machine.
But not the browser!
The rub is: once a user gets into the habit of typing this secret into the browser, she's ready to be tricked. I'll go further. If the vault one day accrues enough value, a browser-based system WILL fail the user – sooner or later.
Ben concludes:
“If you believe the Cardspace UI can protect people’s credentials, then surely it can protect a password?
“If it really can’t (that is, we cannot come up with UI that people will reliably identify and eschew all imitations), then how will we ever have a workable, scalable system that includes recovery of credentials after loss or destruction of their physical goods?”
There's food for thought here. Start to take advantage of the engineering in CardSpace, and you inherit significant protection in terms of both phishing and pharming. So if Ben implements his “Single Password” this way, he could start to be reasonably confident that the “function of the password” is what is released, while the password is guarded.