Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardware Based OpenID Service Available

Posted by ScuttleMonkey on from the welcome-to-your-next-new-buzzword dept.

An anonymous reader writes "TrustBearer Labs has announced a new service that lets you use various hardware based security tokens like smartcards and biometric devices with OpenID. A hardware based connection to OpenID allows higher levels of security and makes it easier for the end-user to control their credentials. OpenID is a decentralized cross-site authentication system that has been gaining momentum for quite a while now with major supporters like AOL, Google and Microsoft already announced."

16 of 119 comments (clear)

  1. Anything like verasigns pip? by dns_server · · Score: 2, Informative

    I believe this already exists with verasigns pip https://pip.verisignlabs.com/ . In this you have a hardware key that rotates it's numbers every 30 seconds.

    1. Re:Anything like verasigns pip? by cybereal · · Score: 2, Interesting

      I have this verisign pip setup and have a key. It is essentially human delivered asymmetrical authentication. It's great security; plus, it works with the $5 keyfob from PayPal!

      --
      I read the script, and I think it would help my character's motivation if he was on fire. -Bender
    2. Re:Anything like verasigns pip? by Jeffrey+Baker · · Score: 4, Informative

      That's really not the same at all. With a SmartCard your keys and certs are in your physical control. The key or cert never leaves the card, and crypto operations also are done on the card. With VeriSign, VeriSign enslaves your identity. They own it, and you have to use the RSA token readout to get VeriSign to unlock your identity temporarily. These are fundamentally different operating principles.

    3. Re:Anything like verasigns pip? by jbastress · · Score: 2, Informative

      I'm not sure if you're referring to the TrustBearer Security Token for sale on the site (which is /not/ the only supported device...for example, all US-govt PIV and CAC cards will work), or the PayPal device...but as this seems to be a common misconception, I'd like to clear this up.

      The TrustBearer Security Key is a cryptographic device (with drivers on Windows update) that goes in a USB port. It uses asymmetric cryptography to decrypt a nonce sent by the provider to prove that the user owns the public key associated with the account. It is for all practical purposes a smart card and reader combined.

      The PayPal/RSA SecureID/Verisign token is a one-time password (OTP) device. It shows a different number every n seconds, which you type in along with your username and password to authenticate. As harningt mentioned in another thread, such devices could in principle be supported by the TrustBearer framework if there was significant demand, but it is currently geared towards asymmetric challenge-response authentication.

  2. Emulation? by KublaiKhan · · Score: 2, Insightful

    I can appreciate the notion of a hardware dongle of some kind to prove you are you, but right away I can see an easy way around it.

    Once the key has been reverse-engineered, a software emulation thereof can be constructed, and a bit of clever hacking could substitute the software for the hardware.

    Consider MAC address spoofing for what I see as a corollary.

    --
    In Xanadu did Kubla Khan
    A stately pleasure dome decree
    1. Re:Emulation? by un1xl0ser · · Score: 2, Informative

      If the hardware device is any good, it isn't relying on the obscurity of the algorithm as it's security strength. It should be able to stand up to an attack even with a significant (hundreds of thousands) number of known tokens. If that is the case, then you need the seed (IV) of the token you want to impersonate in order to do any damage. That key should be protected like a regular key, and should be resistant to tampering (i.e potted, designed to fail if it is tampered with).

      Now most sites that would be doing this will be using SSL with certificates signed by a 'respected' cert provider. If that is the case, the likelihood of getting enough tokens to launch an attack is greatly reduced.

      So put away the tin-foil hat. This isn't a MAC address. :-)

      --
      v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
  3. Re:Tell me sales man by sm62704 · · Score: 3, Funny

    Imagine a beowolf cluster of them (shudder)

    In Soviet Russia, biometrics validate YOU

    Sorry, I can' think of a Natalie Portman joke. I guess I fail it.

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  4. Privacy Problem by jswinth · · Score: 2, Interesting

    Doesn't this create a new privacy problem much like search data? How likely are companies providing the authentication services to create logs of which sites you login to? It is one thing to know what I search on but it is even more invasive to know which sites I actively login to.

  5. Re:Mac ID? by harningt · · Score: 2, Informative

    Erm... MAC ID is non-changing... In a simple example of how this works, it does a cryptographic challenge-response so you keep a private key...

  6. Decoupled authentication by Bogtha · · Score: 4, Informative

    The is something I was trying to explain the last time OpenID came up on Slashdot. Because authentication isn't done by the websites and web applications themselves, it means users can shop around for an authentication system that suits them, and none of the websites or web applications that you log into need worry about it. If/when OpenID starts to become mainstream, I'd expect to see a lot of interesting work done on authentication. A hardware scheme like this isn't feasible if you have to persuade each individual website and web application provider to implement it.

    So, when can we log into Slashdot with our OpenIDs? Has there been any word on the subject at all from Taco et al?

    --
    Bogtha Bogtha Bogtha
  7. REMOTE_USER by thanasakis · · Score: 3, Interesting

    As long as the openid provider (the party that provides the identity by utilizing an authentication mechanism) can access the the REMOTE_USER env variable or something equivalent, it can perform its duty normally. I think it is really not important whether there is username/password based authentication or PKI authentication using soft tokens or hardware crypto tokens or biometric authentication or one time passwords or whatever else. It is up to the implementor of the service to decide what kind of authentication will be used according to his/her requirements. Using an external authentication mechanism can slightly perplex the situation on how logout is performed (as it is dependent on the auth mechanism) or on how attribute based authorization is being carried out.

    But overall it gives great flexibility to the implementor because he/she can layout a scheme were existing authentication/authorization infrastructures (like an institution's LDAP for example) can be used in a cross platform way to offer web based identity.

  8. OpenID for non web clients? by IGnatius+T+Foobar · · Score: 2, Interesting

    I would like to use OpenID as a "single sign on" solution for a wide range of services. The problem I see right now is that it's only viable for web based services. Does the OpenID technology have a way (or is planning one) to authenticate when the client is something other than a web browser? I'm thinking things like IMAP/SMTP mail, console mode login (ssh/telnet), etc. etc.

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
  9. Re:Security risks? by sloth+jr · · Score: 2, Insightful

    Agreed. However, I think in practice, most users use only one or two passwords to login to the vast majority of websites. OpenID thus seems to simply codify this "truism", if I'm on-base. While a centralized password might make mass ownage of websites possible, it should also be simple to shutdown that account across a wide swath of websites more or less instantly.

    sloth jr

  10. Re:Security risks? by CSMatt · · Score: 2, Interesting

    True, but that relies on the original account holder to know that they have been compromised to begin with. Given the amount of identity fraud victims that don't even know that they are victims until it's too late (although I would imagine that number has gone down in recent years with recent awareness of identity fraud), it's not too hard to imagine that there are several account holders online who don't even know that someone has guessed their password, especially if the account holder has abandoned the site (one-time purchases and such).

  11. Re:Security risks? by Aladrin · · Score: 2, Insightful

    And nobody is stopping you from doing that. Get multiple OpenIDs. Get them from different providers, if you like. You can still do it your way while the lazy ones (me included) use single sign-on and makes our lives a little simpler.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  12. Re:itsatrap by Tony+Hoyle · · Score: 2, Interesting

    The difference is that the person I'm replying to knows I own that OpenID account, rather than me just being a random anonymous person.

    No, it knows nothing. OpenID has no trust, so they could have just visited http://www.jkg.in/openid/ and generated one for that purpose.

    OpenID says zero about who you really are. You are an anonymous user - which is why it would be crazy for a site which previously required registration to allow OpenID users to post simply based on the existence of that token. You're going to have to registry/verify your email/etc. *as well* so you've gained nothing.