Slashdot Mirror
Hardware Based OpenID Service Available
An anonymous reader writes "TrustBearer Labs has announced a new service that lets you use various hardware based security tokens like smartcards and biometric devices with OpenID. A hardware based connection to OpenID allows higher levels of security and makes it easier for the end-user to control their credentials. OpenID is a decentralized cross-site authentication system that has been gaining momentum for quite a while now with major supporters like AOL, Google and Microsoft already announced."
I believe this already exists with verasigns pip https://pip.verisignlabs.com/ . In this you have a hardware key that rotates it's numbers every 30 seconds.
Isn't this like a MAC ID in a rudimentary sense? Aren't those already spoofed? I'm debating whether my tinfoil hat should or shouldn't be on, or whether I should call this one for skepticism.
I can appreciate the notion of a hardware dongle of some kind to prove you are you, but right away I can see an easy way around it.
Once the key has been reverse-engineered, a software emulation thereof can be constructed, and a bit of clever hacking could substitute the software for the hardware.
Consider MAC address spoofing for what I see as a corollary.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Imagine a beowolf cluster of them (shudder)
In Soviet Russia, biometrics validate YOU
Sorry, I can' think of a Natalie Portman joke. I guess I fail it.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Ask not what you can do for your country. Ask what your country did to you
Paypal has been offering tokens for a while now (for $5). And they work with Verisign's Personal Identity Provider service.
So for $5 you can get a little "football" of a token that will work as an OpenID login for any site that supports open ID.
Doesn't this create a new privacy problem much like search data? How likely are companies providing the authentication services to create logs of which sites you login to? It is one thing to know what I search on but it is even more invasive to know which sites I actively login to.
I have a Verisign Personal Identity Provider (PIP) which is free as an OpenID identifier, but unfortunalely OpenID isn't much available today. However, I would be willing to get a Security Token from VeriSign if I rely on my OpenID to access most of my Internet account.
1. Find out there's a new emerging standard
2. Get involved using overwhelming marketshare
3. Introduce proprietary fucked-up implementation
4. Profit
same old story...
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
The is something I was trying to explain the last time OpenID came up on Slashdot. Because authentication isn't done by the websites and web applications themselves, it means users can shop around for an authentication system that suits them, and none of the websites or web applications that you log into need worry about it. If/when OpenID starts to become mainstream, I'd expect to see a lot of interesting work done on authentication. A hardware scheme like this isn't feasible if you have to persuade each individual website and web application provider to implement it.
So, when can we log into Slashdot with our OpenIDs? Has there been any word on the subject at all from Taco et al?
Bogtha Bogtha Bogtha
As long as the openid provider (the party that provides the identity by utilizing an authentication mechanism) can access the the REMOTE_USER env variable or something equivalent, it can perform its duty normally. I think it is really not important whether there is username/password based authentication or PKI authentication using soft tokens or hardware crypto tokens or biometric authentication or one time passwords or whatever else. It is up to the implementor of the service to decide what kind of authentication will be used according to his/her requirements. Using an external authentication mechanism can slightly perplex the situation on how logout is performed (as it is dependent on the auth mechanism) or on how attribute based authorization is being carried out.
But overall it gives great flexibility to the implementor because he/she can layout a scheme were existing authentication/authorization infrastructures (like an institution's LDAP for example) can be used in a cross platform way to offer web based identity.
AFAIK, TrustBearer does not use Paypal's token; it uses a smartcard that requires drivers.
It uses a tiny browser plugin (~1MB) that supports an array of devices. More devices can be added on the backend w/o messing with the plugin. You install a plugin for flashy stuff, why not one to support security devices? Example of how this plugin is different from what others is out there: * Get Middleware stack that's about 10-50MB big (likely windows-only) * Hook up PKCS11 module to your browser (or) hook up CSP for *shudder* IE * ... be stuck with that gargantuan stack for one device...
Plugin:
* Get browser extension ~1MB (cross-platform/cross-browser)
* Go to sites that use it and "It Just Works"
I worry whenever I see the word 'trust' juxtaposed with OpenID. I worry that organizations will misuse OpenID, and ignore its purpose: only provide an identification for a person, nothing else. It doesn't certify the person's character, background, politics, or financial base. If I say that I am user@server, then OpenID is just a bit of evidence supporting that. That's all.
Consider this TrustBearer Live / OpenID as Self-Service PKI for the everyman. More of the PK, less of the I.
Call me old fashioned, but I like the idea of not having to use central authentication to log into websites. What if my OpenID information is compromised? If each site has its own authentication, I can use separate usernames and passwords to safeguard my accounts. If one is compromised, then only the account at that site is at risk. But if my OpenID information is compromised, then others can log into any site that uses my OpenID information.
I would like to use OpenID as a "single sign on" solution for a wide range of services. The problem I see right now is that it's only viable for web based services. Does the OpenID technology have a way (or is planning one) to authenticate when the client is something other than a web browser? I'm thinking things like IMAP/SMTP mail, console mode login (ssh/telnet), etc. etc.
Tired of FB/Google censorship? Visit UNCENSORED!
http://www.vimeo.com/688747 http://www.youtube.com/watch?v=krysgUj9_hU
It's true -- extra software is needed...but the same is true of any peripheral connected to your computer.
Any cryptographic device will need to be attached to the computer, and software will need some way to talk to it. Since the VeriSign/PayPal token is a one-time password token, the back-end "shares a secret" with the token, no direct communication between that device and the computer is necessary, except through you via keyboard input.
However, with a smart card or other security device, the private keys cannot leave the device, and don't exist on a server anywhere. To prove that you "own" the certificate that you present, you encipher some data with that private key, which the OpenID provided then deciphers with your public key. If it's the same data that it sent you, then you own the key and you are authenticated.
Regarding installing "extra software", most card readers have drivers in Windows update, and are standards-compliant so they work out of the box on Mac/Linux. So installing the "extra software" involves clicking "Next" a few times, then "Finish" the first time you plug your reader in...sort of like what you would expect the first time you plug any regular USB storage drive into your computer.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Don't worry, it doesn't work in any case. Last time OpenID was on slashdot I went straight to the openid website and got myself an OpenID from one of its recommended partners. I then went to another OpenID website partner and tried my open ID and guess what - thats right it had never heard of me. Now I know I can be very stupid at times but I read the OpenID homepage and I did what I was told and I thought I understood that you register once and you get to play in lots of different places without registering again and but I still appear to have to sign up for every individual OpenID website so can anyone please explain to me what the point of OpenID is?
:)
I really want to know. Now before I get modded offtopic, let me just say that I don't see the point in a hardware version of something for which I can't fathom a use in software or hardware and so obviously, that being the case, there wasn't much point in me reading TFA
When I read this story, I decide to get my Thinkpad fingerprint working.
So ThinkFinger stores 3 copies of what my finger looks like on my local PC. That makes sense for auth on a local machine. How does this work on an enterprise scale? Is the fingerprint details sent to a remote central storage system which then confirms a match?
If that assumption is correct, how would OpenID-enabled websites work with that? Would your account somehow point to your OpenID "provider" which would have your fingerprint to confirm authentication against? Would the fingerprint go just from the PC you are at to the OpenID provider, which will say, "Yes, it's good" or go via the website first?
With such a single sign-on system, if it did go to the website first, wouldn't there be a danger of some "bad" (or compromised) website storing my fingerprint? I know I don't have my head around how this all works just yet - any good explanation of the technical details? The overview doesn't help much there.
Sounds like something wrong with that site. I use my LiveJournal OpenID to leave comments on other blogs, without having to sign up for a new account at every single blog host.
If you allow users to log onto a blog or forum via openID, spammers get to avoid the captcha.
No, you can still make OpenID users type in a captcha if you wish.
So you're forced to grant openID users the same privileges as anonymous posters.
The difference is that the person I'm replying to knows I own that OpenID account, rather than me just being a random anonymous person.
Zero gains here, at best OpenID can prevent a user from filling in a couple of text boxes when registering with a site.
Well that is the point, and it's more like fill in multiple text boxes, provide my email address, wait for email to arrive (or possibly wait ages for account to be approved), click on link, then finally be allowed to leave a comment, which by now I've probably forgotten.
Do that on every single site, just to leave a comment? In practice, I give up and don't bother.
If you don't value your time, then yes, there are zero gains.
And I note you couldn't be bothered to register with Slashdot, so obviously you don't think it's just a "couple of text boxes"...
Yeah, that's how the TPMs work that you can (could?) find in a lot of biz laptops. Great for certifying connections being made from a specific laptop, or for the paranoid being made while that laptop is running.
It relies on providers cooperating with each other - clearly the sites the other poster tried had not agreed to share users. You're going to need multiple openid's anyway.. some of which will be chargable (this much is admitted on the openid site.. you can bet verisign are itching to charge a fortune for 'secure' openids and charge double for 'super secure assured' openids).
Saying the users from one blog work on another blog isn't saying much. When I can log into slashdot and my bank with the same ID then there's a single signon system (not that that's necessarily a good idea, but it's just an example).
The difference is that the person I'm replying to knows I own that OpenID account, rather than me just being a random anonymous person.
No, it knows nothing. OpenID has no trust, so they could have just visited http://www.jkg.in/openid/ and generated one for that purpose.
OpenID says zero about who you really are. You are an anonymous user - which is why it would be crazy for a site which previously required registration to allow OpenID users to post simply based on the existence of that token. You're going to have to registry/verify your email/etc. *as well* so you've gained nothing.
Saying the users from one blog work on another blog isn't saying much. When I can log into slashdot and my bank with the same ID then there's a single signon system
Well Slashdot is just another blog (in the sense of "forum that I might want to leave comments on). Yes it would be good that more blog hosts and websites support it, but that's a problem with lack of support, not a problem with OpenID itself. Hopefully support will grow in time. Slashdot isn't the be all and end all of websites.
My bank has its own set of login methods that are much more secure than simply typing in a password, so I wouldn't expect it to support OpenID. I'm not sure why you think being able to identify yourself on a range of different sites is useless, just because there exists one site that still has its own system.
I know that, that doesn't change the point, I just wasn't explicitly clear. I wouldn't expect a site that previously refused anonymous comments to allow OpenID - but that doesn't mean OpenID is useless, or that all OpenID comments are equivalent to an anonymous one. Yes, OpenID means that the person replying has been authenticated by that URL. Yes, OpenID should by default be given the same privileges as "anonymous" comments, because you could have an OpenID server that is open to anyone.
This is no different to email. You could set up an email server that allows anyone to access it. But that doesn't mean that _all_ email accounts are run by this way. If I receive an email from myfriend@myfriend'semailthatIknow, I can know it's from him, or someone he's given permission to use. Yes, there is still the possibility that he's let someone else use his account, but this is a long way from saying that email accounts are useless and it's equivalent to people emailing you anonymously!
Similarly, if I know my friend owns that URL, then I do know that it will either be my friend, or someone he has allowed access too. Just because there exists some anonymiser OpenID server is no more relevant than an anonymous email server, because I'll know that the OpenID is from http://www.jkg.in/openid - you can't use it to spoof someone else's URL.
Also it is possible to give extra privileges to specific OpenID accounts, which you can't do with anonymous accounts. For example, I use OpenID to allow people on other blogs to read my "friends only" posts. Does the existence of http://www.jkg.in/openid mean that anyone can read those posts? Of course not.
Why is it they always neglect to mention how much they want to suck out of your pocket for their "latest achievement". Also beware, using the site requires you to trust their marketing droids to code java securely in order to get any details. I see nothing on the page that requires anything more complicated than standard HTML with hyper-links.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
That's the 1-meg signed browser plugin that harningt was talking about...installing that is about as painful as installing Flash, and it works with IE, Firefox (Windows, Mac & Linux), and Safari.
Ah, I missed that, sorry - thanks.