Passwordless and Accountless Computing
As I’ve dealt with changing several dozen passwords over the past week, I’ve been thinking about how the username/password and account paradigm could be improved. I’m in no way whatsoever a security expert, so maybe these things are already in the works or, even more likely, maybe there are reasons why they wouldn’t work, but here’s what I’ve come up with.
Most of us carry phones with us everywhere we go. We also use the same one or two computers every day, and maybe an iPad or something, too. We’ll just call them all “computing devices” for simplicity. So, instead of creating an account for every service you use and having a username/password for each one, what if your computing device managed your identity for you? Here’s the workflow:
- I unlock my computing device with a password and maybe a fingerprint (or DNA scan or facial recognition or whatever factor we have in the future).
That’s it. I go to some webpages and use them normally, but I never have to log in. My computing device has a certificate that identifies me to the service. (And there’s an easy way to go anonymous or have multiple identities as desired.)
My computing device knows basic information about me that I’ve set up ahead of time: my name, mailing address, payment info, etc. A service never needs to store these things. It just asks my device for them when needed, and I can revoke a service’s access to particular information on my own system whenever desired in a similar manner to how I can grant or deny an application access to my contacts or photos in iOS now.
This system of course wouldn’t work if I let someone else use my computer, since they’d be browsing around as me, so I’d have to create an account for each member of the household (which my Mac has, though iOS devices are single-user). Soon enough I hope it’s possible I could log onto someone else’s computer using my own credentials and have all my data just show up from whatever cloud services I use.
Ideally we’d also have legislation in place that dictates what companies are permitted to do with customer’s personal information in the same way that HIPAA and FERPA protect patients’ and students’ data. My larger view is that users would be dictating where their information is stored, and this identity would be managed client-side rather than stored in an account at Amazon, and at Google, and at every other site I visit.