Vittorio Bertocci

Scatter thoughts

myOpenID supports the creation of passwordless accounts

myOpenID supports the creation of passwordless accounts

  • Comments 2

Ah joy. It's 12:31 AM of Sunday morning, hence i shouldn't be blogging: but I like the news, and it will take just a minute.

Back in June I blogged about SignOn.com, an openID provider that allows you to authenticate using personal cards side by side with traditional password support. In fact, while I was super happy to see the openID-CardSpace starting to deliver I "complained" that the password was still a necessary step for setting up an account. IMHO (and only IMHO): a system is as secure as its weakest link; and while it's real handy to be able to use information cards for authenticating, as long as there is a chance to access the same account via shared secret I am vulnerable to the typical attacks associated to that. Say that somebody calls me and convinces me to reveal my username & password: my accounts is compromised, regardless of the fact that it has infrastructure in place for supporting CardSpace as well. Again: I recognize that going pure card-based authentication is a bold step, and that for acceptance is absolutely reasonable to offer both methods. Back in June I applauded the SignOn guys for their work, and I maintain that position today.

That said. I was reading the latest post on Kim's blog, and I there learned that there is another openid provider that supports authentication via personal cards: it's myopenid, by JanRain.

MyOpenID does exactly what I was asking for: it allows me to create a new openid without having to establish any password. Let me repeat/rephrase it: I can create an account that can be accessed exclusively by using a personal card. That means that phishers can call me, or pretend to be the myopenid site, until they are blue in the face: by those attack venues they are not going to learn how to sign with the private key that my personal card uses for signing tokens for myopenid. Since it is that very ability that is assessed at authentication time...  BINGO :)
Ah guys, if you would have come out just few months earlier we would have included you in the book :-) great job!

Page 1 of 1 (2 items)
Leave a Comment
  • Please add 7 and 3 and type the answer here:
  • Post