W3C home > Mailing lists > Public > public-credentials@w3.org > November 2016

RE: Ditching passwords / email identifiers

From: <Joerg.Heuer@telekom.de>
Date: Thu, 24 Nov 2016 13:38:09 +0000
To: <marta@blockstream.io>, <timothy.holborn@gmail.com>
CC: <jhprattdev@gmail.com>, <public-credentials@w3.org>, <msporny@digitalbazaar.com>
Message-ID: <a79a50e00de347739e2baf562a0d4fea@HE104697.emea1.cds.t-internal.com>
… and many more options to be considered! These technologies are all fine in certain contexts – and not well applicable in others.
I’d say we shouldn’t have to put our bet on one or the other technology, there will be even better ones to come – so ‘openness’ towards future developments seems a ‘must’ to me.


From: Marta Piekarska [mailto:marta@blockstream.io]
Sent: Dienstag, 22. November 2016 09:06
To: Timothy Holborn
Cc: Jacob Pratt; W3C Credentials Community Group; Manu Sporny
Subject: Re: Ditching passwords / email identifiers

I like this idea in principle. Why do you think SMS message is the best carrier of such information?

I'm aware of some efforts of doing same with Bluetooth or NFC.

Have a good day

Security Architect @ Blockstream


+491703311307 (Germany)
+14159608938 (U.S)
Signal, Wickr (martap).

Sent from a mobile device, please excuse typos.

On Nov 20, 2016, at 5:49 AM, Timothy Holborn <timothy.holborn@gmail.com<mailto:timothy.holborn@gmail.com>> wrote:

On Sun, 20 Nov 2016 at 15:22 Jacob Pratt <jhprattdev@gmail.com<mailto:jhprattdev@gmail.com>> wrote:

Certainly an interesting idea. This could also take advantage of the increasing frequency of biometric sensors in mobile devices, eliminating the need for a code (or some other identifier). It would be much simpler than remembering a password, and much more secure for the vast majority of people.

:)  thank-you.

It also seems really v.simple to implement, and it's using existing functions so it should be relatively straight forward to standardise.

I'd be interested in figuring out how this may relate to creds (from community spec to more recent diversifications).

Other considerations is how this may provide an alternative to that in which is outlined in various VISA EURO related 'claims'.

Could be paired with means for a QR Code to be generated at POS, linked to a credential orientated statement (for instance).

Overall - I would be encouraged if the idea/s were further investigated.

NB also (seperate yet similar): TimBL expressed his desire to see N3 compatibility.  Manu was involved in a broader convo in relation to this consideration made.

The broader context was a graph related issue with TTL and that N3 did not share this problem.

I have been of the opinion for some-time that perhaps serialisations can live harmoniously somehow, perhaps where the stuff that TimBL's more focused on (ie: not web-payments or SEO related) should be supported in a way that is inclusive to his 'vision' alongside support for the 'status quo' herein, which seemingly moreover relates to payments related use-cases.

I have had the difficult experience of having been in the middle of the serialisation wars; and whilst i'm cognisant that it was the javascript wars that led to W3C,

I see some parts of this both healing and in continuum, unnecessary.

As one of the very few (in context of the ~7 billion people on the planet) some of these issues seem to have been unnecessarily unfortunate.


On Nov 19, 2016 11:05 PM, "Timothy Holborn" <timothy.holborn@gmail.com<mailto:timothy.holborn@gmail.com>> wrote:
had an idea that for places where mobiles are ubiquitous, the means in which to ditch passwords and email related AUTH could be facilitated by simply providing SMS authentication (or mobile app alternative) which in-turn means no password is stored for the account at all...

mobiles are increasingly used for banking, simply by tapping them on a payment gateway (via NFC).

people barely need to use their passwords to get into a password protected site, and a great many people have difficulty remembering them or keeping them safe.

alot of email providers are internationally based (whereas mobiles come under telecommunications law, including the misuse of them) and in some regions at least - the receipt of a sms does not cost the recipient funds.

i am aware of a few problems with that method, including company owned mobiles, lost phones, etc.


i figured it was an idea worth noting.  may be an opportunity within the general space.

Received on Thursday, 24 November 2016 13:54:14 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:32 UTC