Having recently switched computers because of a hard drive failure, I can completely relate to Tim Bray's angst over what I'll call the prompt of despair (he calls it the prompt of doom): the one where your browser asks you if you want it to remember the password your putting into some site for you. Saying "yes" is leads you down a worse path than the hell that lurks in the autodial feature of your cordless phone. I live in complete horror of the idea that my cordless phone will stop working because of the 20 or so autodial numbers that I routinely use that I can't remember for the life of me. So, Tim, when you say "I can't be the only one," you're not.
The "remember this password" prompt, which I've been seeing a lot of lately (since switching systems) is about 100 times worse than autodial hell. For starters, I've noticed how it's not too good at dealing with wrong passwords on first entry. So, for example, you go to some Web page, key in your user ID and password and your browser asks if you want it to remember that information. You say yes. But as it turns out, you put the wrong password in (since you haven't had to enter one in about a year). So, the Web site whisks your browser the error-bad credentials page where you get a second chance and it asks if you want it to remember that. Saying yes however doesn't automatically apply the new password to the original login page (which is the one that you'll end up using) and it's not clear how to go back to that original page and reset what it remembered. Even worse is what happens when you enter a wrong password into the second tier error page for the second time. That's when I start sweating bullets because I'm sure if this is one of those sites that locks you out after three attempts and you have to wait a week for whoever runs the Web site to send you a new password in the mail. Autodial is a saint compared to this mess.
Bray wants single sign-on and I agree. If only we could have single sign-on, that'd be great. The question is, with so many SSO technologies out there, which one will get the ubiquitous support from the many domains on the Internet. My hope is that Higgins will be the one to get the most traction. IBM and Novell are firmly behind it and Microsoft is "loosely coupled" because of the way it has demonstrated support. Not only is Higgins open source and not only does it handle single sign-on and authentication across domains, it allows you to control your personal data in a way that doesn't require you to release any more personal information than you want to to certain Web sites.
So, let's say you keep a lot of profile data in your Higgins profile but, when you go to some car buying site, you are authenticated, but not as logged in user per se. Instead, you simply release just the data that the site needs to contextualize its user experience to you. For example, you might must release just your favorite color to a car buying site and from that point forward, all the cars it shows to you, it shows them to you in your favorite color. Recently, at the Identity Mashup Conference at Havard University, the developers of the Higgins Trust Frameork demonstrated this very scenario in action, using Best Buy's Web site. Although Best Buy didn't officially announce support for Higgins, it showed a prototype of a Higgins-compliant Kitchen Design Center that plucked nothing but someone's kitchen design preferences (eg: a stainless steel refrigerator) from their profile and tuned the My Virtual Model-based user experience to those preferences.
This just scratches the surface of some of the things that Higgins can do and the fact that it's open source means that it can be integrated into a lot of other existing technologies.