. Trust"> Its important to note, as has Brad Fitzpatrick of LiveJournal, the inventor of OpenID, that OpenID does not specify an authentication method. You dont need to use passwords or thumbprints or any other specific method. Fitzpatrick cites examples hes seen using Kerberos, voice prints and numerous other obscure Internet authentication standards. This flexibility undoubtedly engendered confidence in Microsoft and other vendors who are moving to support OpenID. Authentication is not the same as trust. A service provider might choose to trust users authenticated through biometrics more than those authenticated through passwords.And stronger authentication will definitely be necessary. The OpenID community is discussing the substantial potential for phishing of IDs. See this blog and this wiki for discussions. Heres the short form: You go to a malicious site and it asks you to log in with your OpenID. Instead of redirecting you to the real IP for your OpenID, it redirects you to a fake version of that site (perhaps employing
phish-enabling vulnerabilities such as these) which asks you for your password, and you give it.
There are many ways such attacks could be fought, and they are discussed on the OpenID.net wiki on the subject. One simple idea is to do what VeriSign does on their IP site, which is to ask the user for a graphic that they then display whenever the user logs in. This technique, identical to Bank of Americas SiteKey, proves to the user that the VeriSign site is what it claims to be, but it still puts the onus on the user to recognize that the graphic is missing when it is.
Ive wondered how far you could go with OpenID. Its one thing to use it for blogs and social networking sites, but could Amazon.com or your bank ever allow you to log on with an OpenID? We are, at the very least, a long way from that. But perhaps it could happen.
Click here to read about developments in Security, Telecommunications and Information Infrastructure in the Intelligent Infrastructure Services Zone.
One way I could imagine it working is for sites to discriminate between OpenID IPs. They might trust AOL, for example, but not openid.ispamyou.net. In fact, OpenID might turn into a way for sites to require even stronger authentication than they now have and outsource the process.
In the meantime, OpenID is just a convenience, both for users and for site administrators who dont need to be in the business of managing a lot of unnecessary sensitive information.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
Microsoft, for instance, has long advocated the use of smart cards and hopes to drive their adoption with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. The software will make it easier for users to integrate strong authentication technologies into Microsoft networks, and you can expect smart card support through OpenID as well.