IndieWeb and Hypocricy
Feb. 22nd, 2016 02:57 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
starseerdrgnSo, I came across IndieWebCamp not too long ago, and really liked what their message was: take back your online identity. Then, I found their Web Sign-In authorization system, and everything kind of fell apart for me.
When your sign-in system requires the use of the very sites you're encouraging people to leave, you have a problem with hypocrisy. When you put down a log-in system that the user can provide from their own server (OpenID) as "too hard", you have a problem with laziness. Authentication isn't supposed to be easy. Otherwise, you run into what Twitter users see every time they run into one of the meme services: an OAuth application that hijacks their identity by continuing to use the permissions given to them without alerting the user.
Of course, open services have major issues with taking off as well. Mozilla Persona is being shut down, and OpenID is now using OAuth 2 (which I stills don't trust thanks to all of the hell I've been through). I don't see why people can't promote decentralized authentication, especially when centralized authentication is one giant target for hackers.
Yes, I'm going there.
If you throw everything behind Google Single Sign-On, Firefox Accounts (Persona Replacement), Facebook Connect, etc..., you have your identity for everything in a single place. This is a black-hat hacker's best case scenario, allowing them to effectively control everything connected to that user's account with little effort. It becomes trivial once they get in.
I myself was a victim of such an attack, with the hacker bypassing my second factor of authentication on Google (I had two factor auth enabled with my phone). I lost access to my email, IM service, Twitter account, Facebook account, Steam account...Effectively everything in my online life. It wasn't fun, and I learned my lesson from that incident.
I honestly wish OpenID would take off again. I want to see someone beat Twitter, Facebook, and Google at authentication, especially with two-factor. I think a decentralized Persona-based solution might be the best bet (seriously, it's dead simple to use), but in a world where developers rely on a cloud service to set and store avatars (Gravatar), everyone is just too lazy or don't care about such problems, and it's depressing.
This is the open web. Why can't we help make it more open?
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2016-02-22 10:02 am (UTC)http://cweiske.de/tagebuch/indieauth-openid.htm#login
Indieauth.com supports federation, which means I can use my own IndieAuth server to login to the indiewebcamp wiki:
http://cweiske.de/tagebuch/federated-indieauth.htm