Full Disclosure mailing list archives
Re: OpenID. The future of authentication on the web?
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 23 Mar 2008 18:53:10 -0500
--On March 23, 2008 4:16:28 PM -0700 Steven Rakick <stevenrakick () yahoo com> wrote:
Many of you have brought up that OpenID is vulnerable to phishing and have highlighted weaknesses specific traditional username/password authentication. This was the main reason I bought up Information Cards in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on Information Cards as opposed to username/password the phishing angle is mitigated. Is this not the case?
Beemba doesn't appear to have any online FAQ or help. MyOpenID points to further information which leads to this: "With OpenID, you don’t have to sign up and create a new account for each site that supports OpenID – you can just use the identity you already have. Hundreds of millions of OpenIDs already exist, and it is likely that you already have one from a service you use." Nice to know that someone is creating identities for me without my knowledge. With an ethical stance like that, why should I trust them to make my ID secure as well? I don't see any information at all about Information Cards. Perhaps you could provide a link? Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- <Possible follow-ups>
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)