Identity management is crucial on the net and I reckon it’s evolved into a pretty horrid cruft of silos and vulnerabilities. We have the opportunity to make identity a native property of the new internet. What should that be like? Some of my thoughts:
Identity Management per app / service
Autofill metadata when creating an account (username, password, contact details, password, confirmation, other metadata like phone number and shipping addresses)
Manage account (forgot password, restore from backup, remove completely)
Close account (give subjective feedback to service, confirmation)
Identity Transport
cross platform, safe browser, safe apps, web, mobile, native (eg it may just act as a glorified password manager in many instances)
backup management (create and restore, import and export)
use on public devices
use from removable media or from brain memory
Identity Modes
manage new identities
one-time / anonymous / disposable identites
api identities, including permissions and revocation
2FA
identity hierarchy, some identities should be totally separated, some should be derived from an existing identity
Threat Detection
access to history of identity usage
alerts when identities are used
digital signatures (I can’t believe how poor most current implementations are, this should be a huge and important thing, pgp could be so useful but it’s hardly used)
simple disaster recovery mechanism
web of trust features
Sharing
businesses need to manage access to shared resources
people may want to have a group identity used by many people
search for people or organisations
partial sharing of details with others (eg name and phone but not address)
verified real meatspace identity vs online personas
services can automatically communicate policies to users (eg password requirements)
Opertions Security
Automatically lock identities between certain times
Automated stylometric analysis / correction on all content passing through each identity
Schedule jobs for identities
Custom outgoing content filters / modifiers
Custom PRNG and entropy sources
Payments and budgeting
Wallet and fund management
Recurring and scheduled payments
Budget tracking
Alerts and warnings
Multisig coordination mechanisms
Incoming payment / invoice management
This is a lot of stuff for a user to manage! I think it would be easy to make a really complex UI that does all this (and it would still be better than what we have today) but hopefully we can make a simple UX. If SAFE can get identity management right it will be a massive drawcard to bring people across from the oldnet.
One thing I would like to see is single secret access - each user has one very strong key and all other secrets are managed automatically and securely. By reducing the cognitive load to one secret it can be extremely strong. The problem is when users have lots of different cognitive load they have to simplify each one to be able to manage.
Do you have any examples of good identity management software or features?
Great topic! I would only like to add that Android (don’t know about ipad, never used) has a system of permissioning for apps that is familiar to many, so having a system that mimics that might be a good starting point - not that it couldn’t be better.
Yes, good point, however I am getting a bit exasperated with those permissions since it’s never clear how the permission is used, only that it’s required. I feel that only open source software can ever really answer that question, so have sorta given up / accepted the risk.
But on the permissions topic, I think macaroons is a fairly promising idea to “embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests”
Yes, completely agree … so those macaroons would limit the range by default? Then there would need to be a fine-tuning system that would adjust the macaroons that the user would need to attend to … perhaps some basic AI could come into play here if it can be informed of the users wishes through some training … then it could fine-tune on the fly only letting the user know when the app is requesting (demanding) too much.
“Macaroons” can be as specific as you want. Even better, once you get a token, you can delegate it while restricting the access even more. For example, if you have a token with read/write access to a resource, you can easily make a read-only token out of it by appending a new caveat that says “read-only” at the end. But there are already a few posts about this here.
My first thought is much of this list can/will become redundant. You’ll merely be giving apps/services permission to see certain data as and when needed e.g. shipping address.
The massive mess that we have now will start to become a thing of the past. I quick glance at my password manager shows that I have a handful of identities, but 1300 separate logins/passwords. Madness!
It’s worth check out this post from @happybeing (and the whole thread in general, if you missed it) for an argument as to why we might be better taking a different starting point, and how the Android model might be a bit back-to-front, given the opportunity of a clean slate.
I misread it too. It makes much more sense now There’s a lot of opportunity to solve some of clear nets ID management issues since SAFE has them whipped at one log in with self authentication network wide, all the crypto, WebID, allow/revoke permissions, etc.
I hope to see the permissions become more granular like how you can allow access to a camera but revoke for geolocation etc on mobile, in the future.
No not misinterpreted; the thread is mostly about managing SAFE identities but there’s no reason why it couldn’t be used elsewhere too. From OP “If SAFE can get identity management right it will be a massive drawcard to bring people across from the oldnet.”
I think the list is missing SOLID and ‘digital business card’ features. But yeah, mostly I meant to get SAFE identities done right, and if that’s the case it would probably be unavoidable that it’d be used in some way for oldnet identities too.