[cap-talk] struggling to learn what techniques supplant passwords
daw at cs.berkeley.edu
Wed Nov 2 00:46:42 PDT 2011
Dan Connolly wrote:
> But after reading pretty much all of the Walnut book, Robust Composition,
> the Joe-E papers, etc. the closest thing I found to any specific suggestion
> as to what techniques supplant passwords [....]
I'm a pragmatist. I believe you should use capabilities if they are
useful, and use other mechanisms where they are useful.
In this context, I see nothing wrong with a web service where users log in
using a username and password. Pragmatically, I suspect username+password
based authentication is probably going to be the best solution in your
Authentication on the web is a hard problem. There are tons of proposals
out there for authentication without passwords. Some are promising,
but they all have various tradeoffs. Capabilities folks don't have any
silver bullet here that cuts through the mess. In my opinion, the utility
from capabilities is more likely to be felt in other areas (e.g., in how
you structure the web app code for least privilege, in enabling mashups),
rather than in magically solving the web authentication problem.
Some uses of capabilities in web applications that I have seen
suggested or proposed:
- Some folks have proposed using webkeys (URLs that are capabilities) as a
way of enabling fine-grained mashups and delegation between web services.
However, this may or may not be relevant to your patient portal; you
may not have a need to support mashups or delegation. If you don't have
that problem, you don't need that solution.
- Some folks have proposed using webkeys as a login or authentication
mechanism. After creating an account, the system would give you a webkey
(a secret URL) that you can bookmark. Then to log in tomorrow, you
click on the bookmark. However, this model is not likely to be familiar
to your users, so it may have some usability issues. Also, it is not
readily portable across computers, for users who access the website from
multiple computers. In addition, it is new and unusual, so adopting it
is taking a bigger risk: if it turns out to be problematic, people will
blame you, whereas no one gets blamed for deploying username+password
based authentication. (These are challenges for many alternative
web authentication mechanisms; they are among the factors that keep
usernames+passwords popular on the web today.)
Bottom line: Capabilities don't supplant passwords, not really, at
least not in today's world.
More information about the cap-talk