Through the rather excellent Security Now podcast, Steve Gibson has introduced me to an emerging product from a new company called Yubico. By the sounds of things it has the potential to completely revolutionise authentication on the Internet. It sounds as interesting and revolutionary as OpenID, and can actually build upon OpenID to make it more secure.

I'll just give a really brief introduction because I'm not enough of a security expert to really explain this and the podcast does a much better job if you have an hour and a half to geek out on this. If not, it's something to pay attention to anyway.

Something you have

Some large companies such as Paypal and Verisign offer a key-fob/dongle to add a layer of security when signing in; making it multi-factor authentication.

(For the uninitiated, a password is basically a single factor authentication system and that factor is referred to as 'something you know'. It's secure unless someone discovers your password, at which point they can log into your system. Another factor is 'something you have'. This means that someone trying to log into your account would have to steal something physical from you in order to authenticate and this is obviously a lot harder than grabbing your password somehow. The key you use in your front door is probably the most obvious example of this.)

These dongles are small devices which produce a unique one-time password when you press a button. The password changes every time you press the button and has a limited lifespan. If anyone tried to learn the password they would be out of luck because it will expire by time they get to use it. This means you must own the dongle to get into the site. It adds the 'something you have' authentication and makes everything a lot more secure.

Yubikey Revolution?

Good so far. But the Yubikey is revolutionary for two reasons.

First: it is a USB key which is essentially a keyboard. This is a particularly good idea because it means there are no driver difficulties or issues with installing client software. You simply plug the key into your USB connection, go to the login screen and then press the button on the Yubikey. The Yubikey then spits out a really long one-time encrypted password and your computer interprets it just like you were manually typing it out on a normal keyboard. This makes it really easy to use and instantly compatible with pretty much any computer.

Second, it is open source. This means anyone can set up a server because all you need to pay for is the actual USB key. This makes it usable by more than a few small large corporations who set up an account with someone like Verisign.

The possibility of using this with OpenID is particularly exciting. One of the issues with OpenID is that you have only a single password that lets you into lots of stuff on the web. This means that if someone found out your password they could get into a whole load of your accounts instead of just one. The Yubikey makes your OpenID a whole load more secure.

So the Yubikey is really useful for small businesses and even single individuals. But it's also a benefit to large corporations because they can run the servers themselves; on an internal intranet if they choose. It's really a win for everyone (except Verisign, of course!)

As long as Yubico has the capacity to make these keys in huge numbers, I'm 99% sure this is going to be massive.

If you want to know more listen to the Security Now podcast and take a look at the Yubico website.

I'm certainly no fan of Internet Explorer 7. Out of all the modern browsers, it still has the most CSS bugs and I dislike how its overwhelming market share is due to it being the default install rather than the best browser. However, compared to its predecessor (version 6) it is a godsend to work with.

Unfortunately for web developers, we still have to struggle with older versions until users (aka my client's customers) abandon the older browser in suitable numbers. Really we need the number to get below 1%.

With the millions of web surfers out there, the reality is that this can take years; many simply wait until they buy a new computer.

So although it has been almost a year since IE7 was released, most statistics show that IE6 still has the greatest user base.

It is good news, then, to see Microsoft attempting to make their browser a little easier for consumers to upgrade to. From the official Internet Explorer blog:

Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we’re updating the IE7 installation experience to make it available as broadly as possible to all Windows users. With today’s “Installation and Availability Update,” Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users.

Realistically this is unlikely to have a dramatic effect on the speed of IE7 adoption. And when IE8 is released (whenever that may be) we will have to continue the slow upgrade cycle again.

I wonder how we will eventually solve this problem. Here are some random thoughts:

• As IE finally becomes standards compliant, we will be able to degrade our designs gracefully, rather than see them skewed beyond all recognition. This may still drive designers crazy, though. Although it could also encourage us to think of designs in a more fluid manner when used on different devices.
• The newer browsers will provide a much richer experience so clients will be more willing to push the boundaries and let some users fall behind. With much of the web broken, users will be forced to upgrade.
• We will start to push more of the design from the server, so that we have central control. The CSS engine would be cached rather than come with the browser, and therefore always up-to-date.
• We just improve the versioning of CSS and its implementation so that the upgrade path is clearer and simpler.

We are all bored of ranting about IE6, but what will we be ranting about when IE6 drops out of significance? Will the new rant be about something less aggregating?

The amazing people who work on Drupal core have taken another step towards Drupal 6.0 with its first beta release.

Having only discovered Drupal less than a year ago, I've not yet contributed much to the project other than documentation. I've been busy learning the system, setting up a business, doing a degree, and so on.

When Drupal 7 starts development, I'm hoping I'll be able to get more involved. Testing the new beta would seem an ideal point to start; kind of a warm up for Drupal 7. Realistically, however, I have an exam and a client that are going to be my priority over the next month.

But I'm going to find time if I can. There is no team I'd rather work with than the Drupal team. I'm really eager to get involved properly.

More information about the release can be found in the official post.