No one's implemented my "in dash box" yet, but maybe this idea I'm going to throw out gets better traction
A few different news stories in the past few days have gotten me to thinking. We'll start with the LinkedIn drama. Yet another security fiasco that led to leaked passwords (technically just hashes, but the passwords are compromised just the same). Lots of blog posts have since been written about the problems that result from this. Many (most?) people use a single password everywhere, just because it's impossible to remember the tens (hundreds? thousands?) of passwords you'd have if you used unique credentials everywhere. Other people use some sort of algorithm that allows them to have unique credentials everywhere while only having to memorize the algorithm (one example to clarify would be using John Lenon's initials, your birthdate and part of the site's name for the password, so that a password for C9 might be Jwl1030nnel). However, such algorithms create unique (or limited) passwords, so if you have to change it you could be in trouble. Password vault systems are one way to combat this, but these systems have their own problems. First, you have to have the vault with you at all times. Putting it on a thumb drive would work most of the time, but what do you do if you have to use a public computer for which you don't have access to the thumb drive? What about on your phone? Then there's the inconvenience of having to "move" the credentials from the vault to the login. Most of these have "auto type" features that work fairly well on your PC (though I'd still claim not well enough), but on smart phones you still often wind up with a horrible user experience here.
The problem is, passwords used for security don't scale well. We've tried to tackle this over the years with various "single signon" approaches, but this doesn't work either. If you can fully trust the owners of the authentication service this can almost work for internet facing applications (like sites in your browser using OpenID). However, it's a bad general solution as you won't always have an Internect connection.
We need to do away with passwords. For a long time I've wished for some sort of physical key I could use instead of a password. YubiKey is a great example of what I envisioned. The only problem here is that the user experience is still subpar, with all the same limitations you have with a password vault. What we need is a standard. With a standard protocol software could use a physical key system like the YubiKey in a manner that provides an optimal user experience. Most importantly, if the OS and the browsers used this protocol then most of the UX would be solved immediately. More importantly, if it was a standard this could work across all devices, not just with a PC. However, USB is maybe not the ideal solution if you want to work across all device types.
That's where the second news story I heard this week comes into play. I was listening to Twig and they were talking about Apple's Passbook, and how making payments with your phone could be more secure. That's when it dawned on me. Have your physical keys use NFC! In fact, it makes sense for your phone to be a physical key. Provide a quick PIN/password on your phone and tap it to the device that needs to authenticate you and you're done. One PIN/password to remember, and you get far better security everywhere. Web sites and programs will no longer be responsible for authentication, and so they won't leak your passwords. There will no longer be databases of credentials that can be stolen by hackers. The more I think about it, the more benefits I can see. Plus it's universal. Not only will this work to identify you when using a computer, it will also work when identifying you at a point of sale terminal.
There's always a catch 22 when it comes to standards like this. However, Microsof and Apple could probably get something like this to stick. If Microsoft were to implement this in Windows and use it for authentication in all of it's cloud services, and incorporate it in their plans for NFC payment systems, while ensuring the system is open and non-proprietary, I would expect you'd get fairly rapid adoption of this everywhere.