Cloud Computing: the undocumented by-product and problem of authentication

Cloud computing is awesome?  Don’t think so?  Here’s some information that might change your mind: computing is steadily becoming – if not has already become – dependent on internet-based services (cloud computing for all you buzz-work lovers).  So, unless you’re a “hater” of cloud computing or John C. Dvorak, who seems to have trouble coming to terms with today’s “cloud reality”, there are certain things that require attention as data moves to the cloud: besides well-known issues with cloud-computing (such as the needs for security, redundancy, and off-line access, to name a few) the issue of authentication is becoming the most important, yet is not getting the coverage it deserves.  So let me break it down: ever forget which user name and password combination you used for a web service?  So have I.  I have come to the conclusions that, as users make the migration to the cloud, they are led into one of the following bad habits:

• making complex passwords that are impossible to remember.  If this happens, the user will probably begin
• using the same password and user name on all sites.  After realizing that doing so compromises security, the user might think about
• using a few different passwords, but faces the possibility of forgetting which one was used for a particular site.

Knowing that, it’s easy to see how much of a problem this may become as users begin to rely more and more on web-based services: eventually, users’ security will be compromised because they will be using very simple passwords on all sites, ones that are easily guessable.  And if one person finds out this password, that person will most likely be smart enough to know that the same password was most likely used on all the other sites the compromised user is registered on.  This behavior becomes a downward spiral and is very important to monitor: as users entrust websites and web services with their most sensitive data, such as email and medical information, security becomes extremely important.  But how good is a locked-down server that no hacker can get to if your password is stolen or guessed?  In that case… no hacker needed – the front door is open wide, just walk right in and look around, take whatever you want.  Obviously, this behavior has the potential of leading to catastrophes in users’ lives.  What we need are solutions to this authentication problem.  As of now, such solutions have come in two forms:

• desktop password managers that remember your authentication info for you (such as 1Password, RoboForm, and LastPass, or even the built-in Firefox password feature), and
• a web movement to unify the user’s online identity (OpenID)

OpenID

In terms of usability and user-friendly operation, OpenID seems to be the most promising of all these initiatives: pick one user name and one password, remember the created URL, and that becomes the one single identity all over the web – no need to memorize anything else.  Whenever you need to log into a web-based service, just enter the created URL along with the one user name and password combo, and that’s it!  Want to begin using a new web service?  Here’s where OpenID really shines: it already knows the user by the OpenID URL, so all that’s needed is to register OpenID “ID” and the site automatically knows everything about you (like your email address and all the other fields required to be filled in when signing up for a new web service).  What’s great is that OpenID doesn’t just give away all the information about a user to a web service, but gives it just what it needs.  This means that sensitive information such as your address are privately held and will need your permission.  Sounds perfect so far, doesn’t it?  Well, there is a negative of such an initiative: it requires work to be done on the part of websites and services to integrate with the OpenID technology.  Thus, OpenID adoption depends on web services’ implementation of the initiative: companies that provide web-based products (such as Microsoft, AOL, or Zoho) need to make so changes on their side to make it all work. Talking about companies and OpenID, there have been some recent developments lately with the technology: large companies such as Yahoo! and AOL, to name a few, have taken advantage of OpenID but not in everyone’s best interest: these companies have begun to make their users’ authentication information OpenIDs.  This means that if I choose to, I can use my Yahoo! email address and password with OpenID-enabled sites.  So if I want to, I could log into an OpenID-enabled web service with my Yahoo! email address and password.  But doing so doesn’t help and actually makes it misleading for the average user: those who don’t use their Yahoo! or AOL accounts as OpenIDs and, instead, prefer to use other OpenID providers (such as claimID, as it is my case) can’t log into Yahoo! with their non-Yahoo OpenIDs.  These companies’ OpenID initiatives, therefore, prevent me from using my ClaimID account from logging into their service – which is like having a car that can drive any direction, as long as that direction is forward.  Whatever the case may be, until all sites become OpenID enabled, users who prefer to avoid authentication headaches will have to stick to password managers.

Password Management Software

These (more often than not desktop) applications are simple: they memorize the URL of the site and the log-in info associated with it (user name and password).  The user has one master password that they

set up to unlock all the log-in information stored in the application.  Using these password “brains” allows for the creation of really strong (read: difficult to guess) passwords – ones that use numbers and symbols instead of words (the passwords that are words are the easiest to guess and crack).  But extremely secure (read: strong) passwords bring their own set of problems.  Namely, what do you do when you’re not in front of the password manager application?  Can you memorize a password, like asdfsdjhh$%ds)4432, which is an example of a highly secure, randomly-generated password made by these types of apps.  Neither can I. If you guessed that these applications are usually not portable, meaning that you can’t take them with you when you’re away from your computer, then you’re a smart one!  Think about it: if you don’t have access to the app that holds all your 16-digit-long passwords when you’re away from the laptop/desktop, then it defeats the entire purpose of using web-based services: isn’t a major benefit of web-based services their “anywhere availability” anyway?  So if you can’t log into Gmail at the library because you can’t get access to your desktop’s password management app, why bother using Gmail?  Might as well use Outlook Express with POP3 access (and the server set to delete downloaded messages).  Doom and gloom, huh? Luckily, this sad story has a happy ending.  (Well, at least a good “in-the-works” ending).  The facts are these:

• The number of OpenID enabled sites is growing daily.  So in a perfect scenario, where all websites are OpenID enabled, we can just remember our URL and one simple password that will work with all online sites.  But we need one element until this wonderland becomes reality and all of the web becomes OpenID enabled: time.  Until that glorious day comes (which, when it does, will surely become a national holiday), we need to stick to password managers that make use of a master password to rule all your other passwords.  Here are my top recommendations and a little of a back story:

• For a long time, I have been a Mac user.  But not even half a year ago, my trusty iBook G4 decided it didn’t want me anymore and broke (motherboard).  While living in “pure Mac land” (yes, it’s an actual place), I used an excellent desktop password manager called 1Password.  I consider 1Password to be the best, most straight-forward, and most elegant experience of password management to date: nothing on Windows comes even close to the refinement and usability of this app.  It even has a free iPhone/iPod Touch, version that syncs over WiFi to your desktop 1Password App on your Mac and has both read and write capabilities: signed up for a service while being away from your computer?  No problem – type it into 1Password “touch” and sync it back to the Mac once you get home.  There was a web-based component called my1Password.com, but the developers recently shut it down and are working on a brand new version for the cloud.  Did I mention my Mac died?  So I pulled out a Dell tower and set it up to dual boot Vista and a hacked version of OS X Leopard (making it a Dell Hackintosh).  And that’s how my quest began for the perfect cross-platform password management app.  And to a certain extend, I found it! Enter
• LastPass: a platform-agnostic password management solution.  It’s a web service that tightly integrates into the browser as a plug-in.  Here are the platforms and browsers supported by LastPass today:
  • Window: IE and Firefox
  • Linux: Firefox
  • Mac: Safari and Firefox
  • Mobile versions of the app are coming as well for “popular mobile platforms.”  (The LastPass FAQ states that there will for sure be a native iPhone/iPod Touch version).
  • Once the plug-in is installed, it works like a very well-designed and thought-out desktop password manager, with a few tricks
    • most importantly, it synchronizes all the log-in info to the web service, so you have all your log-ins with you wherever you go as long as you have an internet connection.
    • It can auto-fill account info automatically or you can do so manually, with support for multiple accounts for a single URL (since I have multiple accounts with many sites such as Google, this is a must)
    • The lack of mobile/offline access is going to be remedied with upcoming mobile versions

So for me, the perfect password solution is LastPass.  Until we live in a world where all websites are OpenID-enabled, LastPass is the next perfect solution that works.  Its benefits of being cross-platform,

its simplicity, and being a web app in its own right, far outweigh it lacking a native mobile client version (did I already mention those would be coming?) If you haven’t noticed, I have so far ignored other Windows-only password managers.  This is because they are – to the last one – pure garbage.  Oh, they get “the job done.”  But their user interfaces are horrible and not user-intuitive at all.  A password manager is something that you will be using many times in a day, and I guarantee you will get disgusted with using these Windows programs.  They’re all full of childish colors, have tiny little buttons, and offer too many features in a horribly-designed interface to be useful.  Complete fail on that.  (Yes, I’ve used RoboForm, which still sucks). PS: Isn’t it ironic that the best password management solution to our obsession with cloud services is a cloud-based authentication-management service? Oh, and two more things: nothing personal, Mr. Dvorak (from my reference above).  I find your ability to keep putting down cloud computing in general very entertaining.  I perfectly understand the possible pitfalls of cloud computing.  But once we learn how to manage it, the benefits will far outweigh the possible disadvantages.  Even now, they do for me.  I believe that we need to solve the following issues going forward with cloud-based computing:

• Redundancy of accounts and information for greater reliability (servers and datacenters)
• Creation of user-friendly usage policies that prevent the service provider from restricting a user’s access to his own account
• Increased security in password retrieval (perhaps use multiple-step authentication like PayPal/eBay key-fob?)
• Off-line access

Are you still reading this?  Are you hoping for a cookie?  Email me, and you just might get one.

We really like to hear from readers. Email us with your ideas.

Like reading TechNest Report? We greatly appreciate it if you share articles with your friends, link from your blog, and subscribe to our feed. Submit to Digg, Reddit, or Slashdot. If you really like TechNest Report and the fact that there isn’t a single ad on the site, consider making a small donation; it will really help pay the bills around here.

Posted in Cloud Computing, Solution, Web 2.0