Authentication vs

By Larry Seltzer  |  Posted 2007-02-20 Print this article Print

. Trust"> Its important to note, as has Brad Fitzpatrick of LiveJournal, the inventor of OpenID, that OpenID does not specify an authentication method. You dont need to use passwords or thumbprints or any other specific method. Fitzpatrick cites examples hes seen using Kerberos, voice prints and numerous other obscure Internet authentication standards.

This flexibility undoubtedly engendered confidence in Microsoft and other vendors who are moving to support OpenID. Authentication is not the same as trust. A service provider might choose to trust users authenticated through biometrics more than those authenticated through passwords.

Microsoft, for instance, has long advocated the use of smart cards and hopes to drive their adoption with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. The software will make it easier for users to integrate strong authentication technologies into Microsoft networks, and you can expect smart card support through OpenID as well.

And stronger authentication will definitely be necessary. The OpenID community is discussing the substantial potential for phishing of IDs. See this blog and this wiki for discussions.

Heres the short form: You go to a malicious site and it asks you to log in with your OpenID. Instead of redirecting you to the real IP for your OpenID, it redirects you to a fake version of that site (perhaps employing phish-enabling vulnerabilities such as these) which asks you for your password, and you give it.

There are many ways such attacks could be fought, and they are discussed on the wiki on the subject. One simple idea is to do what VeriSign does on their IP site, which is to ask the user for a graphic that they then display whenever the user logs in. This technique, identical to Bank of Americas SiteKey, proves to the user that the VeriSign site is what it claims to be, but it still puts the onus on the user to recognize that the graphic is missing when it is.

Ive wondered how far you could go with OpenID. Its one thing to use it for blogs and social networking sites, but could or your bank ever allow you to log on with an OpenID? We are, at the very least, a long way from that. But perhaps it could happen.

Click here to read about developments in Security, Telecommunications and Information Infrastructure in the Intelligent Infrastructure Services Zone.

One way I could imagine it working is for sites to discriminate between OpenID IPs. They might trust AOL, for example, but not In fact, OpenID might turn into a way for sites to require even stronger authentication than they now have and outsource the process.

In the meantime, OpenID is just a convenience, both for users and for site administrators who dont need to be in the business of managing a lot of unnecessary sensitive information.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel