I ran across this initial post OpenID, Information Cards, and Passwords in my newsreader which then led me to the original article “Goodbye, Passwords. You Aren’t a Good Defense” as well as a bunch of other responses to the Goodbye article by Kim Cameron, Axel Nennker and Dave Kearns.

Great posts and all of this is marvelous commentary on all that is wrong, what exists but isn’t enough and the remaining challenges, but are the players with the technology and know-how just going to sit by and let something coalesce out of the chaos?  Do they have a choice?  All the big players have a reason to hark back to the MS Passport / Hailstorm days and shiver, but what about the little guys with nothing to lose, but some sleep and VC money? 

Users are aware of the problems and looking for solutions.  One community alone is keeping the virtual shelves bare of even the hated OTP over at the Blizzard store* trying to protect their virtual loot in WoW.  I haven’t been able to order one, though I’ve been checking multiple times a day over the last month. You know from my previous posts, that I have an unnatural hatred of OTPs, yet I’m eager to get one for this very specific, non-single sign-on situation.

Do people really want a digital readout thing-a-ma-bob?  Not even with Blizzard stamped on it.  Do they want to make dang sure that their stuff doesn’t go missing as is happening with great frequency to their friends, even the supposedly security savvy? (no, it hasn’t happened to me <grin>).  Clearly, yes. 

Combine this article with the news today about the various worms running through the Facebook and MySpace communities, wouldn’t we expect these communities to react with the same vigor as the WoW folks?  Sure, there may not be as much virtual goodies to be stolen, but these sites reportedly thrive on something more important… my reputation with my friends and their friends and their… yeah, the social net thing.  However, regardless the supposed Data Portability announcements with some fuzzy commentary of “trusted authentication” among 3rd parties, where are the true security related announcements?   

The majority of these attacks start at the same place and the stories all begin with the same phrase:  “With the compromised credentials, the attacker… [insert virtual violation technique here]“.  As the MythBusters often exclaim whilst smacking their foreheads, “well THERE’s your problem!”.  If Startup X showed up tomorrow and gave users easy to use, very, very difficult to compromise credentials, that worked for even just the top 50% of sites they want security for, would they use it?  That question, along with “what would they pay?” are the two questions I always hear as the discussion killer by the jaded. 

But think how much happier users and vendors would be in the Blizzard Authenticator case if the solution was software based and not bound by the availability of what is apparently a strongly sought after physical item at $6.50 each.  That’s just for one site that 10+ million people care about.  Oh that’s right, those OTPs can’t be purchased outside the U.S. so the number of users keeping these in short supply is well south of 10 million.  Imagine then that your software only solution would truly be available to the global community and with significantly better margins than a physical device.  Getting anyone’s attention yet?

Is authentication enough to really generate strong numbers?  I think that it would, but consider if the credential were of a significantly powerful variety to provide functionality beyond authentication.  Then that brings in both fence-sitters and entirely new groups of users with different security and / or business interests.  Folks, there’s enough technology out there already available (with some about to make an appearance that I’ll chat about here when it is ready for public announcement) to put together a very compelling, game-changing and revenue generating service. 

Before you say, “No one would ever trust a startup / new entrant enough to permit the creation of an uber-powerful identity provider”, remember that is exactly what the banks and their blinder-wearing service providers said while PayPal came in and ate their lunch.  Funny that in the “Goodbye, Passwords” article, PayPal is properly called out as one of the key players in deciding what is and isn’t secure enough in Web 2.0 and beyond.

==========================================================

 * Loading the Blizzard store is still problematic as fans crush it for Blizzcon tickets as of 8/12/08.