{"id":1003,"date":"2008-08-11T15:08:06","date_gmt":"2008-08-11T23:08:06","guid":{"rendered":"\/?p=1003"},"modified":"2008-08-12T07:44:26","modified_gmt":"2008-08-12T15:44:26","slug":"new-york-times-on-openid-and-information-cards","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1003","title":{"rendered":"New York Times on OpenID and Information Cards"},"content":{"rendered":"

Randall Stross has a piece in the NYT <\/a>that\u00a0hits the\u00a0jackpot in\u00a0explaining to non-technical readers what's wrong with passwords and how Information Cards help:\u00a0\u00a0\u00a0\u00a0<\/p>\n

“I once felt ashamed about failing to follow best practices for password selection \u2014 but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won\u2019t keep us safe from identity theft, no matter how clever we are in choosing them.<\/p>\n

“That would be the case even if we had done a better job of listening to instructions. Surveys show that we\u2019ve remained stubbornly fond of perennial favorites like \u201cpassword,\u201d \u201c123456\u201d and \u201cLetMeIn.\u201d The underlying problem, however, isn\u2019t their simplicity. It\u2019s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).<\/p>\n

“This procedure \u2014 which now seems perfectly natural because we\u2019ve been trained to repeat it so much \u2014 is a bad idea, one that no security expert whom I reached would defend.”<\/p>\n

“The solution urged by the experts is to abandon passwords \u2014 and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties\u2019 authenticity, using digital keys that we, as users, have no need to see.<\/p>\n

“In short, we need a log-on system that relies on cryptography, not mnemonics.<\/p>\n

“As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code…”<\/p>\n

Randall's piece\u00a0also\u00a0drills into\u00a0OpenID.\u00a0 Summarizing, he sees it as a password-based system, and therefore a diversion from what's really important:<\/p>\n

“OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else\u2019s Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory. Representatives of Google<\/span><\/a>, I.B.M.<\/span><\/a>, Microsoft<\/span><\/a> and Yahoo<\/span><\/a> are on OpenID\u2019s guiding board of corporations. Last month, when MySpace<\/span><\/a> announced that it would support the standard, the nonprofit foundation OpenID.net<\/span><\/a> boasted that the number of \u201cOpenID enabled users\u201d had passed 500 million and that \u201cit\u2019s clear the momentum is only just starting to pick up.\u201d<\/p>\n

“Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn\u2019t willing to rely upon the OpenID credentials issued by others. You can\u2019t use Microsoft-issued OpenID at Yahoo, nor Yahoo\u2019s at Microsoft.<\/p>\n

“Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else\u2019s site.<\/p>\n

Randall is right that when\u00a0people use\u00a0passwords to authenticate to their\u00a0OpenID provider,\u00a0the system is\u00a0vulnerable to many phishing attacks.\u00a0 But\u00a0there's an important point to be made:\u00a0 these\u00a0problems are caused by their use of passwords, not by their use of OpenID.\u00a0<\/p>\n

When\u00a0people authenticate to OpenID in a reliable way – for example, by using Information Cards –\u00a0\u00a0the phishing attacks are no longer possible, as I explain in this video<\/a>.\u00a0\u00a0At that point, it becomes a safe and convenient way to use a public personna.<\/p>\n

The question of whether and when large sites will accept the OpenIDs issued by other<\/em> large sites is a more complicated one.\u00a0 I discussed a number of the issues here<\/a>.\u00a0\u00a0 The problem is that for\u00a0many applications, there needs to be a layer of governance on top of the identity basic technology.\u00a0 What happens when something goes wrong?\u00a0\u00a0Are there\u00a0reliability and quality of service guarantees?\u00a0 If informaiton is leaked, who is responsible?\u00a0 How is fiscal liability established?\u00a0 And by the way,\u00a0we\u00a0need to figure this out in order to use\u00a0any federation technology, whether OpenID, SAML or WS-Trust.<\/p>\n

So far, these questions\u00a0are being\u00a0answered on an ad hoc basis, since there are no established frameworks.\u00a0 I think you can divide what's happening into two approaches, both of which make a lot of sense:\u00a0<\/p>\n

First, there are\u00a0relying parties\u00a0that limit the use of\u00a0OpenID to low-value resources.\u00a0 A great example is the French telecom company Orange.\u00a0 It will accept ID's from any OpenID provider – but just for free services.\u00a0 The\u00a0approach is simply\u00a0to limit use of the credentials to so-called low-value resources.\u00a0 Blogger and others use this approach as well.<\/p>\n

Second, the is the tack of using the protocol for higher-value purposes, but limiting the providers accepted to those with whom a governance agreement can be put in place.\u00a0 Microsoft's Health Vault, for example,\u00a0currently accepts OpenIDs from two providers, and plans to extend this as it understands the governance issues better.\u00a0\u00a0I look at it as\u00a0a very early example of a governance-oriented approach.<\/p>\n

I strongly believe\u00a0OpenID moves identity forward.\u00a0 The issues of password attacks don't go away – in fact the\u00a0vulnerabilites\u00a0are potentially worse\u00a0to the extent that a\u00a0single password\u00a0becomes the gate to more resources.\u00a0 But\u00a0technologies like Information Cards\u00a0will solve these problems.\u00a0 There is a tremendous synergy here, and that is the heart of the matter.\u00a0 Randall writes:<\/p>\n

“We won\u2019t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. “<\/p>\n

But I think this energy and attention will take us in the right direction as it shines the spotlight on the benefits and issues of identity,\u00a0wagging identity's\u00a0“long tail”.\u00a0<\/p>\n

\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"

Passwords seem perfectly natural “because we\u2019ve been trained to repeat them so much”<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[63,8,15,22,61],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1003"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1003"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1003\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}