[cap-talk] Webkeys vs. the web
Stiegler, Marc D
marc.d.stiegler at hp.com
Mon Mar 23 14:08:43 EDT 2009
> The challenge is how to get from a page with a publicly known
> URL to a page with an unguessable URL without forcing the
> user to engage in strange and unfamiliar actions. In an
> ideal world where people already understood the threats and
> the appropriate countermeasures, a mandatory bookmark would
> not seem strange, but that's the not the world we are dealing with.
Just tossing out a different idea for folks to reject, let me guess at a characterisation of a typical user and see if we can build something a little better but reasonably comfortable for him.
Characterisation: Looking at my own behavior, I am almost always accessing my services from one of a tiny number of computers that could easily have the bookmarks on board. But once in a long while I want to use a service from someone else's computer in a far away place. Now, in a world where webkeys were common, I might carry all the webkeys on a thumb drive -- and indeed, a sensible user interface would, I submit, encourage the user, as part of the setup process, to Save Bookmark To Flash Drive (or Save Bookmark To Cell Phone, which would produce a text message to the phone number of the user's choice), in which case I might even be reliable about it now :-)
But for today, we still need another mechanism for the rare remote access -- but since it is rare, so I would tolerate a tiny amount of hassle as long as it wasn't too weird.
In this case, suppose we take a page from the "Forgot your password?" folks. Have a public memorable page into which you simply type your email address, and the system sends an appropriate webkey to that email. Then you log into your email account using the email system signon-password, and click the link in the new message. This way, you are not adding yet another !@#$ password to the poor user's woes.
To me, this seems not a hassle. Particularly if the user interface were streamlined to make it clear that this was a perfectly fine, natural, normal way of operating (as opposed to the "forgot your password" negotiation, which always makes you feel like a fool for having forgotten the random string that the computer should have remembered for you in the first place). Indeed, it seems much better than not a hassle -- it takes the way people normally work and embraces it (I have stopped keeping lists of passwords for places I go to only rarely and so can never remember the name -- instead, I always just hit "forgot my password").
As a system designer, an interesting question to me is, should the webkey sent in the email be the original, raw, full-power webkey, or should it be a membrane? The security guy in me says "membrane", but the cooperation guy in me says "raw": if it is a membrane, then if you share an attenuated authority with someone from this remote session, everyone may be surprised that it is not persistent. But it gives you some protection from the remote computer, in which you may have limited trust. You could, of course, give the user a choice of membrane or raw in the "send to email" page, but that is probably over the top on expecting users to understand their choices. Perhaps the answer is to default to raw (no surprises), and allow users with security concerns to specify membraned in a preferences page (such a preference page should not, incidentally, be accessible via the membrane :-).
More information about the cap-talk