For quite awhile, we have advocated the use of X.509 digital certificates and HTTPS as a way to replace passwords with a secure, standard reusable logon. HTTPS is already enabled on most websites across the globe to identify that website to the browser and encrypt data: using a digital certificate, the HTTPS protocol identifies the website and shares encryption keys. We are advocating enabling HTTPS to also identify and authenticate end users with a digital certificate. HTTPS and digital certificates for end users are already supported in the technical protocol and on all standard devices - but it is just not turned on. By enabling websites to identify and authenticate end users with a digital certificate, we would finally be able to replace insecure passwords, decrease the risk of Phishing and make the Internet a little more secure.
However, we have not been able to convince any companies to become early adopters. Many think this is a good idea but have told us they would only support this if their clients ask for it. So we have the classic 'what came first - the chicken or the egg?' (though this particular question has been answered:)
We are now approaching end users to become early adopters and to evaluate X.509 digital certificates as an alternative to passwords. We are looking for early adopters that:
- Are tired of having too many passwords and are interested in trying a secure, reusable, IETF standard, digital certificate.
- Want an easy to use, seamless logon to multiple websites: this video shows how easy it can be.
- Want to minimize sharing their identity and personal information on the web.
- Want to stop worrying about phishing.
- Are willing to test and provide feedback on the technology and our concept.
Try For Yourself
- If you want to try it yourself, you can get your own digital certificate and then access our demo websites. (It's free).
- For those that are interested, enabling HTTPS on a webserver for end user digital certificates is actually very simple. Here are the instructions to configure Apache.
With enough interest from end users, we hope to convince websites to enable HTTPS authentication using digital certificates. As more websites turn this on, we can finally stop using insecure passwords.