Raconteuring

A few times now, I’ve heard OAuth is too complex and unnecessary. Why not just have remote access keys?

They’re absolutely right. Remote access keys are the way to go.

However, how about we also have more than one remote access key per account? That way users can give each third party app its own key. This enables users to track what each app is doing with their data, as well as limit what rights each app has in terms of accessibility. Also, it means if you want to reset your key, it doesn’t mean disabling every app you’ve given access to in the process.

Sound good? Well, now we have a problem of managing all these different keys. Why not have a simple handshake for the app to create its own remote access key at the time of authorization? It saves the user from copy/pasting the key from the provider site into the app.

We should also probably sign data using a shared secret sent over these keys, so if any key gets into the wild or sniffed, it won’t compromise the user’s data to attackers.

Just add these few handy features (which are all about making life better for users), and remote keys are definitely better and easier than OAuth and also better for the user.

Oh, wait…

There is a great article in the New York Times about passwords, OpenID, and information cards. It’s already seen some coverage. The mistake the New York Times makes about OpenID is the same one most people make: OpenID isn’t about password consolidation. This is a nice, ancillary benefit to third party authentication, but not the primary value. The primary value to OpenID is how it opens up competition in the authentication space.

The insecurity of passwords is not a new phenomenon. Password-based security has always had flaws, but they remain because we’re creatures of habit, and nobody is interested in innovating both a product and a registration scheme. Users are familiar with the username/password pattern.

OpenID solves this dilemma by providing a single point of identity. When you log into an OpenID-enabled site, that site queries the OpenID provider to say if this person really is who they say they are. The provider will then say “yes” or “no.” How the provider determines this is up to them. It can be a password challenge, information cards, entering a generated key that was sent via SMS to your cell phone, or limit by the originator’s IP address. Vidoop innovates by requiring users to identify themes in images.

The dilemma with our current authentication paradigm is not that it is password based. The problem is that no one is innovating authentication. In the history of the internet, we haven’t moved beyond “enter username and password” prompts. When you break authentication out to a third party using OpenID, the OpenID providers can start competing for users. Competition will allow authentication to evolve, offering users whatever authentication scheme fits their needs.

I am 20 pounds heavier than I was two months ago. Now that I’m back up to 198, I’m taking advantage of yahoo’s gym as often as I can. In the past, I’ve done a lot of weight training, but I’ve long suspected my heart isn’t as strong as it could be. Resting heart rates of an adult fall between 60 and 100 beats per minute. It’s usually a little higher in women than in men, but resting heart rate goes down the more fit you are. Professional athletes have been known to have resting heart rates of 30 bpm. Mine is 80-85 bpm.

I’m an informatics nut. I long for the day when I can attach a small device to my arm that will connect to my phone’s internet connection via bluetooth to upload health information to a central server somewhere for later analysis. I could have a pedometer in my shoes to measure how much I walk/run. I could have a heart rate monitor. There are lots of things you can do with a simple metal plate in contact with human skin.

My biggest complaint with fitness today is our lack of solid health knowledge. We don’t really know what we’re doing yet when it comes to nutrition and fitness. We know exercise is good, but we can’t be more specific than that. What kinds of exercises are optimal for certain kinds of results? What is the best nutritional combination for this? We have ideas, but only general ones. The reason why we aren’t satisfactorily answering these questions yet is because it takes a lifetime to answer. Literally. We’ve only become interested in fitness in the modern sense in the last few hundred years. We’ve been doing a good job recording data for less than that. Our diet has long term impacts; that much we know, but we can’t exactly say what all those impacts are. When it comes to the data collected to date, we have a very small sample of the population.

The best thing we can do to improve this going forward is to create large (petabytes) databases of daily biometrics on populations of people, correlating that with other known health data, such as longetivity and cancers. We can crunch that data for correlations.

For now, I’m using FitDay.com to manually record personal fitness metrics. It isn’t bad. It isn’t great because it requires self-reporting. No fitness site lasts long using manual updates. One day, I want to be able to log into a web site that has daily health information on me that goes back years, which it can correlate to other reported factors like productivity, fitness levels, and mood. I want all this data on me collected passively, either by my phone or some other peripheral that uploads data to the internet via my phone (or, worst case, keeps it stored until you sync up later). Lisa has been on a nutrition kick this year. Recently, she’s been lecturing me about The Omnivore’s Dilemma, which has me appreciating just how much we don’t know. I want a computer to be able to infer exactly what I need to do and eat to get the results I want. It’s perfectly possible; we just need to collect all the data. I’m not too sure what concentrated efforts there are to improve this space other than what Seth has told me about, but I loathe the idea that when I die people will still be advocating the Atkins diet.

I’ve always said I love doing data analysis. When you discover a new correlation, it’s like learning a secret that no one else knows. It’s a great feeling. I imagine it’s as good or better than a runner’s high, but I wouldn’t know.