I think the software community has generally done a poor job with authN, authZ, and credential management. The Web Authentication working group is working on a new spec to tackle some of their problems issues [0], but it's still fairly young and it fails to address some common pain-points.
It seems reasonable to distinguish between identity and device. If I lose some device, I can publish its revocation.
Serious internet users will have dozens, if not hundreds, of accounts. How do we handle revocations and key rotation?
It seems reasonable to distinguish between identity and device. If I lose some device, I can publish its revocation.
Serious internet users will have dozens, if not hundreds, of accounts. How do we handle revocations and key rotation?