I think, in the short-medium term, the only viable solutions are ones based on confirming to users that the site they are currently at is the site they registered with earlier. Solutions like cookies and Passpet are in this category. Solutions based on centralized authorized or revised encryption methods require more time and effort and money than can be delivered in the short term.

This is an incomplete solution, however, because it assumes that the site was legitimate during the first visit. There are also other risks, but the approach is feasible in the short term and probably usable by a large portion of the Internet population.

I agree that tokens (or other sorts of helper devices) are not the universal easy answer to everything, and that we need to take advantage of simple things humans can do when we can. But I will argue that what people can do on their own is limited, and vulnerable to attack, and we need to find better technological (or other) means to help protect that limited and vulnerable resource. Right now we’ve got the equivalent of a “financial biometric” — passwords, SSN, credit card number, mother’s maiden name, etc — that is also difficult to revoke or change, and can act as a key to get access, money, etc once stolen, but that is possible to trivially type into a computer or read out over the phone. I think we can be cleverer than that.

I think passpet is one good example of how to begin to be cleverer than that, in an easy and short-term-deployable way — I have a password for a site that I don’t know, that I need to get through a tool that will try to refuse to give it away to the wrong person even when I want to. As I said in my talk, we need to start by raising the bar wherever we can, I just find it personally preferable to do that with an eye on where we really want to get to in the end, even if it takes a while.

Let’s try to follow what you and Diana suggest to its logical conclusion. If we want credentials that don’t lose their value when a secret leaks or is given away, what does that mean? It seems to me the only alternative would be physical tokens. So your credit card becomes a cryptographic token with an embedded key. Fine. Now what do you do if you lose your wallet?

Probably, you call the bank to report a stolen card and get a replacement. Okay, now how does the bank know they can trust your call? Do they ask you your address? Your account number? Your birthdate? Your SSN?

But this personal information was supposed to have no value that could be lost by revealing it. So how do you recover from failure? It would seem that there’s no way to fix the problem on the phone. So now you have to show up in person. And in person, what can you give them to prove your identity but perhaps some other piece of ID — which will also have to be a cryptographic token? And what if you don’t have your ID because it was in your stolen wallet?

The point of my story is to show that authentication has to bottom out somewhere. Stripped of all your possessions, your only sources of identity are your mind and your body. Today we use the mind: the final recourse is your memory, your knowledge of yourself. Some are proposing that we switch to using the body instead (biometrics), which is a troublesome idea (in part because you can’t replace body parts after a biometric is compromised).

I don’t think it’s possible to build a system that bottoms out in hardware tokens because tokens cost money, can be lost, and can be stolen. Not everyone has the ability to obtain a token. But everybody has a mind and has the ability to remember information about themselves. It’s impossible to get away from the fact that this information is valuable.

If we were choosing a winner for the panel, she smacked us around like a rented mule. So my million would go to start a credit card company based on PKI.

The question I didn’t get a chance to ask because there were so many others - if you had $1millionUS to spend on the phishing problem, and could not spend it on yourself or your colleagues, what would you spend it on?