Signing in & composite services

Richard Pope,

Usernames and passwords are on borrowed time as a design pattern. Examples of the damage it does are everywhere. The only thing keeping it credible is two factor authentication via SMS or a mobile app, and that can't reasonably survive the switch to mobile as the dominant way of accessing the web (because it's not really two factor if it's on the same device, right?).

The future, probably looks something like this from the FIDO Alliance, which sets out specifications for the use of hardware dongles for strong 2-factor authentication in association with a pin or password. (It also sets out specs for the slightly more problematic / scary use of fingerprint scanning, speech etc for authentication).

Hint: if you are a designer or developer, buy a Yubikey hardware dongle right now and start experimenting. Even if that particular bit of hardware doesn't win, it will give you a feel for the sort of interaction patterns you will be dealing with in the near future.

Anyway, what I'm interested in, is what changes when signing-in to a service becomes an order-of-magnitude quicker and more secure?

My hunch is we quickly get used to signing in more often, to a greater number of services at once, and the oAuth style permissions pattern that is currently the preserve of large platforms like Google or iOS starts getting implemented by smaller, more discrete services.

The result: and it becomes much easier to build composite-services made up of lots of loosely joined parts.