Machine-Centric Identity
18 May 2009Users do not authenticate themselves to web applications. Users pass their password to their workstation (or any terminal device) that will pass it to the browser which will in turn pass it to the web application. The application does not interact with the user, it interacts with a browser software installed on a machine that is (maybe) used by human being. I have described that long ago in a persona model. Now Fulup Ar Foll mentions similar thing in this quite interesting interview. That's good. At least one more person is having the same idea. Maybe we are getting somewhere.
You may ask what is the difference? Authenticating user or user's computer or whatever? The user cannot be sure that his computer or mobile device is operating as expected. And well, let's admit that many people have no idea what that damed machine is doing. It is easy to make a mistake and send your password to a wrong site (phishing). It is difficult to defend against viruses. And we are damned lucky that vast majority of the viruses are pretty harmless things. Computer or mobile device can be stolen, ale your persona may be stolen as well. Just admit it, the device you are using to interact with the cyberspace is just not secure.
More and more important services are getting on-line. They assume that the entity that is providing credentials is really a human. But it may not be the case. It is much safer to think in terms of "digital persona" than "living person" when it comes to the design of authentication systems.
And that also means that the entire field that proudly calls itself "user-centric identity" is in fact a bunch of machine-centric solution.