Smartcard and non-password methods (was Re: Password repository)

Jack Bates jbates at
Sat Nov 21 14:57:55 UTC 2009

John Levine wrote:
>> Are passwords still the only lowest-common-denominator?
> There's OpenID, where a provider can use any verification process it
> wants, but all the OpenID providers I know use ordinary passwords.

Yeah, and every ISP would probably use key authentication, except 
there's not a simple distribution method for the multitude of ways 
clients might connect and handling temporary issues such as a customer 
connecting from a public site via webmail.

So if a customer needs a password to retrieve or unlock a cert, they see 
no reason for a cert. This shows in the limited support for client 
certificates in standard software. Due to the limited support and 
increased overhead in supporting getting a client cert installed, they 
end up not being used.

The same could be said for other protocols, though. Kerberos rocks, even 
does good with M$ networks, but there is no click and have fun kerberos 
support that I've seen for ISP networks.

On the other hand, even with a very hands free implementation, I'm sure 
people would complain  "but I want to let my son authenticate to this 
with my username/password, but not have access to this." Obviously, such 
a problem is best solved with "son" having his own auth, which may have 
different resources than the parent's, which is easily maintained and 
billable based on the resources actually required (see any number of 
Profile setups on fee based services; ie, netflix).

Jack (off topic, and annoyed with the way we do things today)

More information about the NANOG mailing list