[cap-talk] Webkeys vs. the web

David Wagner daw at cs.berkeley.edu
Mon Mar 23 16:05:26 EDT 2009

Marc Stiegler wrote:
> Characterisation: Looking at my own behavior, I am almost always
> accessing my services from one of a tiny number of computers that could
> easily have the bookmarks on board. But once in a long while I want to
> use a service from someone else's computer in a far away place. Now, in
> a world where webkeys were common, I might carry all the webkeys on a
> thumb drive -- and indeed, a sensible user interface would, I submit,
> encourage the user, as part of the setup process, to Save Bookmark To
> Flash Drive (or Save Bookmark To Cell Phone, which would produce a text
> message to the phone number of the user's choice), in which case I might
> even be reliable about it now :-)

This is interesting.  Let's set aside the case of travel
for the moment, and think about the case where I have a tiny
number of computers that I use.

One question is how my computers synchronize bookmarks amongst
themselves.  Another is whether this requires special software
installed on my computers.  I believe that any solution that requires
users to install software on their computers is basically a
non-starter.  (Web sites that tell their users "you must install
this special plug-in to use our site" are going to die a quick
death.)  Also anything that requires users to manually synchronize
their bookmarks sounds like a usability problem.

So maybe one solution is, rather than using the browser's bookmark
storage, use remote "bookmark" storage.  This requires selecting a
trusted web site that is trusted to store all of the user's bookmarks.
The user could log onto this web site (following any number of
standard approaches), then gets to a page where her bookmarks are
stored.  This would eliminate the synchronization problem, without
special software.  It would also allow users to access their bookmarks
while travelling or on an unfamiliar machine.

It does seem like it might make it noticeably harder to add
a bookmark to the page, though.  And it requires extraordinary trust
in that trusted web site.  So maybe it's not very realistic.

I do like some of these schemes (those using a cellphone sound
especially appealing) though getting there from here sounds a bit
challenging.  But maybe I'm being too pessimistic?

> In this case, suppose we take a page from the "Forgot your password?"
> folks. Have a public memorable page into which you simply type your
> email address, and the system sends an appropriate webkey to that email.
> Then you log into your email account using the email system
> signon-password, and click the link in the new message. This way, you
> are not adding yet another !@#$ password to the poor user's woes.

One of my students, Chris Karlof, recently completed his PhD dissertation,
where he looked at using this kind of thing for web authentication.
In his scheme, when the user tries to log on from a new machine, the
system emails the user a special one-use link; when the user receives
that email and clicks on that link, the server returns a a persistent
HTTPS cookie (so clicking on the link causes a persistent, secure cookie
to be installed on the user's browser).  This cookie will then be sent to
the site every subsequent time that the user visits the site from that
browser/machine.  He did some extensive user studies which suggest that
the mechanism is usable by users, and that it provides better resistance
to phishing and other social engineering attacks than passwords and
challenge questions (but is not immune to social engineering).

However his scheme uses persistent cookies for authentication, so it
doesn't fall into the capability/webkey framework, and it has all the
standard tradeoffs with using cookies for authentication.

More information about the cap-talk mailing list