Full Disclosure mailing list archives
Re: OpenID. The future of authentication on the web?
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 23 Mar 2008 19:01:00 -0500
--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer <Larry () larryseltzer com> wrote:
It's worth pointing out that some OpenID providers are better than others. An OpenID provider could implement 2-factor authentication, and some have (http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H ardware/), or other features which could strengthen it.
Yes, but you're still placing your trust, for all the most important information about yourself, in the hands of a third party. That third parties reputation relies on being able to deny a breach of their systems, so their primary motivation would not be to help you solve your problem but to deny that it was caused by them. Insisting, for example, that you used the system incorrectly is a favored tactic of providers who offer similar decoupled authentication schemes. Given the choice between placing that trust in *one* provider, potentially exposing everything about myself, I think a system that relies on *me* to release my information voluntarily when I choose makes more sense from a security perspective. IOW, it is the owner of the data that should retain absolute control over that data. (And no, credit card companies don't own my data. Nor do merchants. I do. They have a responsibility to handle my data with the utmost care, and if they fail in their duty to protect, I have the ability to refuse to any longer do business with them. I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Paul Schmehl (pauls () utdallas edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? fabio (Mar 23)
- Message not available
- Re: OpenID. The future of authentication on the web? Kern (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 23)
- Re: OpenID. The future of authentication on the web? reepex (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
- Re: OpenID. The future of authentication on the web? Pedro Hugo (Mar 24)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 24)
- Re: OpenID. The future of authentication on the web? reepex (Mar 23)
- Re: OpenID. The future of authentication on the web? Kurt Buff (Mar 23)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 24)
- Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)