A few weeks ago, Henry Story posted an excellent comment to my blog about Identity in the Browser, linking to his blog post Global Identity in the iPhone browser, which described the use of foaf+ssl certificates to autheticate access to a website. 

Yesterday, I participated in a somewhat spirited discussion with colleagues about the pros and cons of using certificates in mobile devices to provide better security than common username/password techniques.  Getting away from typing passwords on a cell phone would be very helpful.  The main thing I really like about the method Henry described is the ease in selecting different certificates, which may represent different personas for a user.  Being able to increase security and ease-of-use at the same time is encouraging.

However, I think we need to overcome some other key hurdles to bring this method into the mainstream.  Some issues include:

• How will certificates be distributed and installed, particularly to people who are not particularly technology savvy?
• What methods will be used to verify that certificates match a person's real Identity?
• What will it take to get a critical mass of online sites to adopt this method of authentication?
• What happens if the phone is lost or stolen?

It will be interesting to seek how these and other relevant issues are resolved.


Technorati Tags: Identity, Identity Management, IDIB, Certificate, foaf+ssl