[cap-talk] Webkeys vs. the web

Chip Morningstar chip at fudco.com
Mon Mar 23 14:37:23 EDT 2009


"Stiegler, Marc D" <marc.d.stiegler at hp.com> wrote:

>But for today, we still need another mechanism for the rare remote access --
>but since it is rare, so I would tolerate a tiny amount of hassle as long as
>it wasn't too weird.

Actually, the rare remote access is not so much the use case I'm concerned
about.  It's the privilege escalation that takes place when moving from a
public context to a private context, which happens a *lot*.


>In this case, suppose we take a page from the "Forgot your password?"
>folks. Have a public memorable page into which you simply type your email
>address, and the system sends an appropriate webkey to that email. Then you
>log into your email account using the email system signon-password, and click
>the link in the new message. This way, you are not adding yet another !@#$
>password to the poor user's woes.
>
>To me, this seems not a hassle. Particularly if the user interface were
>streamlined to make it clear that this was a perfectly fine, natural, normal
>way of operating (as opposed to the "forgot your password" negotiation, which
>always makes you feel like a fool for having forgotten the random string that
>the computer should have remembered for you in the first place). Indeed, it
>seems much better than not a hassle -- it takes the way people normally work
>and embraces it (I have stopped keeping lists of passwords for places I go to
>only rarely and so can never remember the name -- instead, I always just hit
>"forgot my password").

Perhaps we are looking at different problem definitions here, but I see a huge,
gigantic hassle.  In essence it's having to go through the "forgot my password"
email cycle every time I want to click on the link that says "edit this page".
No way is that going to fly.

Chip


More information about the cap-talk mailing list