People don't own mobile phone numbers. They are rented from mobile operators. Yes, you may be able to move "your" number between a limited set of providers - but it ultimately doesn't belong to you. An operator can unilaterally take your number away from you.
If you move to a different country, you will almost certainly have to change your number - thus invalidating any account which relies on a mobile being your primary identifier.
That's before we get on to how hideously insecure phone numbers are. Transmitting an SMS with a sensitive one-time code over a cleartext which can be easily intercepted is not a sensible approach to security. Modern phone networks are designed to accommodate Lawful Intercept - and suffer from a range of security weaknesses.
Fine. Whatever. Let's use emails as our primary ID. Bzzzt! Wrong! Email addresses are just as ephemeral as mobile numbers.
If you use a service like Gmail, Yahoo, or Hotmail, then you're at the mercy of those providers. They can revoke your access at any time. They can give away your cherished address. And, like phones, they can be legally compelled to give access to certain 3rd parties.
Social Media IDs are equally rubbish. Your presence on Twitter or Facebook is little more than virtual sharecropping. You don't own or control your ID. If the provider goes bust, you've lost the ability to identify yourself.
OK, here's an answer! What if I run my own domain? Then I'll be in control of my identity. And my email as well!
No. Not really. Your domain is only temporarily leased from your registrar. Perhaps you forget to renew your domain. Or renewal prices will jump and you can't afford your "home" any more. Perhaps a global corporation insists that they alone have the right to use your name and take you to court.
That kills off the ability to use something like IndieAuth.
Umm... How about IP addresses? Again, for most people these are leased from ISPs and are dynamic. Even with a switch to IPv6, there's no way to own an address permanently and move it between ISPs.
I want an online identity which is immune from 3rd parties to take back. Something unaffected by Eminent Domain. That - no matter the social and technological changes of the Internet - will remain valid throughout my lifetime.
Let's craft a problem statement
As a user, I want to have an identifier on the Internet which can only be revoked by me.
(That's not a perfect story, of course. It says nothing about security, access rights, or usability. But it is a simple starting point.)
Does such an identifier exist today?
Something like a Public/Private keypair is almost right. Ignoring the many usability issues with things like PGP, it is conceivable that you could authenticate yourself to a service by cryptographically signing a challenge they send you which is then verified against your public key.
This is more-or-less how FIDO UAF works. You generate and store your keypair on a piece of cryptographic hardware and use that for authentication and identification.
But there is a more fundamental flaw - a keypair doesn't provide a method for delivering a message or a service.
At the moment there's no way to say
- "Visit my website at
impossibly long cryptographic string" or
- "Give me a call at ..." or
- "Let's exchange data via ..."
OK, I can add multiple email addresses to a PGP key and hope that all the major email providers don't go bust, or sell me out.
I'm sure there are hacks which will turn
000D05F640557C62 into a DNS entry for a website. But that still falls back on requiring an existing domain name. Which can be taken away from you.
(As an aside, if you're an intergovernmental agency registered by an international treaty, you can apply for a
.int domain. That's probably harder for someone to unilaterally revoke.)
The Internet, so we are told, routes around damage. But where does it route to?
I don't have an answer to this. It seems like a fundamental design flaw with existing Internet infrastructure. How can I carve out a permanent home here?