Re: How to fix authentication (was LinkedIn)

[Alexander Harrowell <a.harrowell () gmail com>]

On Thursday 21 Jun 2012 04:16:22 Aaron C. de Bruyn wrote:
> On Wed, Jun 20, 2012 at 4:26 PM, Jay Ashworth <jra () baylink com> wrote:
> > ----- Original Message -----
> > > From: "Leo Bicknell" <bicknell () ufp org>
> > Yes, but you're securing the account to the *client PC* there, not 
to
> > the human being; making that Portable Enough for people who use and
> > borrow multiple machines is nontrivial.
>
> Or a wizard in your browser/OS/whatever could prompt you to put in a
> 'special' USB key and write the identity data there, making it
> portable.  Or like my ssh keys, I have one on my home computer, one on
> my work computer, one on my USB drive, etc...  If I lose my USB key, I
> can revoke the SSH key and still have access from my home computer.
>
> And I'm sure someone would come up with the 'solution' where they
> store the keys for you, but only you have the passphrase...ala
> lastpass.
>
> -A


As far as apps go, loads of them use OAuth and have a browser step in 
their setup.


So this adds precisely one step to the smartphone sync/activation 
process - downloading the key pair from your PC (or if you don't have a 
PC, generating one).


that covers vendor A and most vendor G devices. "what about the feature 
phones?" - not an issue, no apps to speak of, noOp(). "what about 
[person we want to be superior to who is always female for some 
reason]?" - well, they all seem to have iPhones now, so *somebody's* 
obviously handholding them through the activation procedure.


obviously vendor A would be tempted to "sync this to iCloud"...but 
anyway, I repeat the call for a W3C password manager API. SSH would be 
better, but a lot of the intents, actions etc are the same.

Attachment: signature.asc
Description: This is a digitally signed message part.