Having written a longer discussion of how TypeKey
appears to work I want to try a shorter a summary.
TypeKey tackles an important problem – spam on open web sites. Open
sites want to encourage lots of contributions. Open sites do not want to
their openness abused by spammers. TypeKey provides authentication services to help address the problem.
TypeKey provides a central authority. Sites use it to authenticate
visitors. This works by bouncing those users over to their central
authority which then sends them back with some identifying
info. Users might not even be aware it was happening since in simple cases it requires no user interaction.
The design is flawed in at least two ways.
First. The system reveals a universal identifier for the user. That
empowers random sites to invade the privacy of their users by
conspiring with other sites to aggregate a model of from what
ever the users revealed at various sites. Worse it reveals this universal identifier to anyone eavesdropping in on internet traffic. That’s a gift to
Second. No mechanism is provided to support multiple central
authorities. This makes the role of authentication authority scarce.
It creates a single point of failue. It has the unfortunate side effect of
of putting Six Apart in the position of hording that role. That
will cause suspicion. It will delaying wide spread adoption. All that is
is good for the spammers and bad for the open web.
Neither of these is necessary. Both can be fixed.