ID Management is no small thing. Are there discussions somewhere in the larger Mastodon (or GNU Social) project on how to evolve this?

@ennenine From an authentication point of view, if could actually be a lot more secure than your typical user account. Since you only have on ID to worry about, you could focus on "Fort Knoxing" it with whatever you like, certificates or biometrics or multi-factor authentication.... It would be a lot easier than needing a password manager to organize a million different accounts.

@cc @ennenine Biometrics for authentication are a security nightmare. Try getting a new retina installed, or your fingerprints re-issued, after a data compromise. This is a HUGE and stupid failure mode.

@HedgeMage @ennenine Biometrics: userids, not passwords.

I'm increasingly inclined toward some sort of worn, replaceable, identifier. A signet ring with a very-near-field chip which could be held to an ID sensor on devices and specifically triggered. Or something operating similarly. "Something you have", replaceable, a specific interaction. Not generally readable from a distance.

@ennenine @HedgeMage Also, critically: something /discardable/, preferably capable of being destroyed to the point it cannot be associated.

Replaceability means that you can /either/ choose not to use a specific ID, or have another one issued should the old one be lost / destroyed / compromised.

This means that any remote authenticators must recognise repudiation of devices.

If there's encryption involved, likely some form of escrow. Quora for various operations as well.

@HedgeMage There are circumstances in which I'm a fan of insertable devices. This isn't one of them. Yubikey works fairly well for the case of "authenticate to devices I control directly", but they're too fussy for instances of, say, building or transit entry, even ignoring other issues. Public USB port mortality rates alone would kill it. Even there the signet is fussy.

I also don't like One True ID concepts -- a universal card / phone / device. #1984

Sign in to participate in the conversation
mastodon.cloud

Everyone is welcome as long as you follow our code of conduct! Thank you. Mastodon.cloud is maintained by Sujitech, LLC.