Why don't more companies take advantage of existing mechanisms for authentication via public key, e.g. using SSH as a way to interface with SaaS/web services? Some reasons that come to mind are a) most people don't know how to create and share a public key and b) there isn't very good integration between public keys and browsers, which are obviously necessary to use services that have complex GUIs. But given the benefit of not having to rely on a third party identity provider like Google, why aren't there more people focused on solving those problems?
The average user will always choose ease of use over strict security. Having to maintain your key files is asking a lot of people who can't even be bothered to use different passwords. Then what happens if their laptop dies and they lose their private key?<p>Something low friction, like Sign in with google/Facebook/github whatever, where somebody else manages your identity for you, is going to be much lower friction.
Like WebAuthn or DID? People are working on it, it takes time, and we don't know if these will become popular or not.<p>I'd certainly like to log in with my yubikey
I really thought Keybase had potential to take over this space. It was easy to set up, came with encrypted messaging and file storage, and gave end users ways to assert their identity that didn't rely on traditional certificate authorities. I wish they had found a way to make Keybase a sustainable business instead of selling to Zoom.
As a corollary to this, I often wonder how much companies could save on, for example, collaboration tools if they invested some time training their employees to use version control and file transfer utilities. Or am I biased by my own comfort level on a command line as a software dev, and this would actually be infeasible?
Key generation is trivial. Key management and distribution have its own issues and challenges.<p>At some level you start requiring certificate authorities (central trust). The DID-core W3C proposal seems to be putting down some of the pieces required to enable rolling your own identity authority. But it is still a long way to go even after around 4+ years.