Why can't this be done today? Back when startssl was a thing and giving out free ssl certs, they didn't have you authenticate with a username/password, they generated a cert that was stored in your browser and used that to authenticate you.
It can be done today, but the browser UX around X.509 client cert auth is poor, and especially setting up your browser to use hardware tokens is more than could be expected of a nontechnical user.
I don't know for sure why they decided to do something new rather than improving the UX of client certs, but what they came up with for Webauthn seems to work with pretty well.
"Four companies that nobody trusts want to manage your identity across websites and apps."
Seriously from the T mobile data breaches affecting millions[1], to Verizon's injecting of X-UIDH headers[2], to AT&Ts work with the NSA[3] to the selling of location data by all four mentioned in the article, there is absolutely nothing trusty-worth about any of these companies. It's like cognitive dissonance. Maybe they could include credit monitoring by the 3 completely untrustworthy credit reporting agencies and the service would be feature complete in its' absurdity.
I still trust T-Mobile more than the other two, despite the breach. AT&T and Verizon are NSA toadies. Maybe I’m näive but it doesn’t seem like T-Mobile is so much in bed with the fed. NSA surveillance is a constant breach, no?
Am I the only one who's terrified of giving control of my authentication to a carrier? They have had so many absurd security breaches. Not to mention it's so easy to walk into any store and get a SIM card for someone else's account with nothing more than a phone number. They rarely check your id.
Resurrect the original promise of OpenID! I want this capability, but I definitely don't want it controlled by big companies, and poor stewards of consumer best interests at that.
You mean like Google do already? See also this discussion from earlier in the week about automatically logging in to Gmail when you start chrome. https://news.ycombinator.com/item?id=17942252
So, yet another SSO options, but implemented by companies that are infamous for poorly-implemented software, screwing customers for a few more cents, and security breaches?
I'd much rather authenticate to websites with a key stored in my phone's secure element than I would with an auth service provided by my carrier.