Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Two-step verification will end consensual impersonation

Eve Maler | April 16, 2013
Learning from the school of hard knocks

Online apps will feel pressure to solve this problem. We may see cookies and access tokens with longer and longer validity periods to leverage the investment in that initial authentication. But here's the right way to do it: make it easier to delegate constrained account access to other people.

We don't have good solutions for secure, auditable, Internet-scale person-to-person sharing of access in online apps today. In fact, they kind of stink -- my go-to example is Flickr, which makes selective sharing of photo albums ridiculously complicated -- which is why some people take the easy-if-insecure way out. The solution needs to be friendly and functional, and it needs to enable revocation, so that at least Juliet can kick Romeo out of her digital life as well as her real one when the time comes.

Solving person-to-person access authorization is a key use case for the OAuth-based web standard that I work on in my copious spare time, User-Managed Access (UMA). Once enough online services start to demand two-step verification, apps will need to enable UMA or something like it -- just to give people back the feature that consensual impersonation used



Previous Page  1  2 

Sign up for CIO Asia eNewsletters.