Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Hardware Based OpenID Service Available

Posted by ScuttleMonkey on Wed Feb 13, 2008 05:00 PM
from the welcome-to-your-next-new-buzzword dept.
Security Hardware
An anonymous reader writes "TrustBearer Labs has announced a new service that lets you use various hardware based security tokens like smartcards and biometric devices with OpenID. A hardware based connection to OpenID allows higher levels of security and makes it easier for the end-user to control their credentials. OpenID is a decentralized cross-site authentication system that has been gaining momentum for quite a while now with major supporters like AOL, Google and Microsoft already announced."
+ -
story

Related Stories

[+] Your Rights Online: Gates Says Microsoft Will Support OpenID 73 comments
An anonymous reader writes "In his RSA conference keynote today, Bill Gates announced that Microsoft will support the decentralized OpenID digital identity protocol, in addition to WS-* and CardSpace (transcribed notes, video). From its roots in LID, i-names, and Sxip, the first major deployment in LiveJournal, and now with support from Techorati, Magnolia, Symantec, a suspected mass-deployment by AOL, and a number of startups — using URLs as digital identities has caught hold."
[+] Your Rights Online: AOL Now Supports OpenID 163 comments
Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."
[+] Your Rights Online: FBI Prepares Vast Database of Biometrics 152 comments
MacRonin sends us to the Washington Post for a story about the FBI's plans for a large biometric identification database. The Post also has a chart detailing the characteristics of the different methods of identification. We discussed the ethics of a similar situation a few months ago. Quoting the Post: "Next month, the FBI intends to award a 10-year contract that would significantly expand the amount and kinds of biometric information it receives. And in the coming years, law enforcement authorities around the world will be able to rely on iris patterns, face-shape data, scars and perhaps even the unique ways people walk and talk, to solve crimes and identify criminals and terrorists. The FBI will also retain, upon request by employers, the fingerprints of employees who have undergone criminal background checks so the employers can be notified if employees have brushes with the law."
[+] Technology: OpenID Foundation Embraced by Big Players 167 comments
An anonymous reader writes "The OpenID Foundation has announced that Google, IBM, Microsoft, VeriSign and Yahoo! have all joined its board. It's exciting to see OpenID being embraced by such large players, but its also a concern that such big corporates are now directly influencing the fledgeling foundation. 'Today there are over a quarter of a billion OpenIDs and well over 10,000 websites to accept them. OpenID has grown to be implemented by major open source projects such as Drupal, cornerstone Web 2.0 services such as those by 37signals and Six Apart, as well as a mix of large companies including as Apple, Google, and Yahoo!. Today is about truly recognizing the accomplishments of the entire OpenID community which has certainly grown beyond the small grassroots community where it started in late 2005.'"
[+] Your Rights Online: EU Plans to Require Biometrics for Visitors 238 comments
bushwhacker2000 writes to tell us that the EU may soon be requiring travelers to provide biometric data before crossing into Europe. They are trying to soften the blow by offering "streamlined" services for frequent travelers but the end result seems the same. "The proposals, contained in draft documents examined by the International Herald Tribune and scheduled to go to the European Commission on Wednesday, were designed to bring the EU visa regime into line with a new era in which passports include biometric data. The commission, the EU executive, argues that migratory pressure, organized crime and terrorism are obvious challenges to the Union and that the bloc's border and visa policy needs to be brought up to date."
Firehose:Hardware Based OpenID Service Available by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hardware Based OpenID Service Available 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • I believe this already exists with verasigns pip https://pip.verisignlabs.com/ [verisignlabs.com] . In this you have a hardware key that rotates it's numbers every 30 seconds.

    • Re: (Score:3, Interesting)

      by cybereal (621599)
      I have this verisign pip setup and have a key. It is essentially human delivered asymmetrical authentication. It's great security; plus, it works with the $5 keyfob from PayPal!

    • Re:Anything like verasigns pip? (Score:5, Informative)

      by Jeffrey Baker (6191) on Wednesday February 13 2008, @05:28PM (#22411632)
      That's really not the same at all. With a SmartCard your keys and certs are in your physical control. The key or cert never leaves the card, and crypto operations also are done on the card. With VeriSign, VeriSign enslaves your identity. They own it, and you have to use the RSA token readout to get VeriSign to unlock your identity temporarily. These are fundamentally different operating principles.
  • Isn't this like a MAC ID in a rudimentary sense? Aren't those already spoofed? I'm debating whether my tinfoil hat should or shouldn't be on, or whether I should call this one for skepticism.
  • I can appreciate the notion of a hardware dongle of some kind to prove you are you, but right away I can see an easy way around it.

    Once the key has been reverse-engineered, a software emulation thereof can be constructed, and a bit of clever hacking could substitute the software for the hardware.

    Consider MAC address spoofing for what I see as a corollary.

    • Re: (Score:3, Informative)

      by un1xl0ser (575642)
      If the hardware device is any good, it isn't relying on the obscurity of the algorithm as it's security strength. It should be able to stand up to an attack even with a significant (hundreds of thousands) number of known tokens. If that is the case, then you need the seed (IV) of the token you want to impersonate in order to do any damage. That key should be protected like a regular key, and should be resistant to tampering (i.e potted, designed to fail if it is tampered with).

      Now most sites that would be d
      • I'm still waiting for a smart-card with a tamper prevention system like James Bond's Lotus Esprit.
    • Do you talk out of your ass all the time, or only here on Slashdot? If you don't understand the way a smart card works, I would advise not yapping about the "easy way around it" that you just pulled out of your hindquarters.

  • Paypal has been offering [paypal.com] tokens for a while now (for $5). And they work with Verisign's Personal Identity Provider [verisignlabs.com] service.

    So for $5 you can get a little "football" of a token that will work as an OpenID login for any site that supports open ID.

  • Doesn't this create a new privacy problem much like search data? How likely are companies providing the authentication services to create logs of which sites you login to? It is one thing to know what I search on but it is even more invasive to know which sites I actively login to.
    • This is an interesting problem, as I suspect that not everyone will be operating independent OpenID servers. But, as the spec is open, people who know and care (you and I) can avoid this problem.
    • Well, your ISP already knows this information, unless of course you regularly use Tor to browse the Web. How is this any different?
  • 1. Find out there's a new emerging standard
    2. Get involved using overwhelming marketshare
    3. Introduce proprietary fucked-up implementation
    4. Profit

    same old story...

  • Decoupled authentication (Score:5, Informative)

    by Bogtha (906264) on Wednesday February 13 2008, @05:40PM (#22411762)

    The is something I was trying to explain the last time OpenID came up on Slashdot. Because authentication isn't done by the websites and web applications themselves, it means users can shop around for an authentication system that suits them, and none of the websites or web applications that you log into need worry about it. If/when OpenID starts to become mainstream, I'd expect to see a lot of interesting work done on authentication. A hardware scheme like this isn't feasible if you have to persuade each individual website and web application provider to implement it.

    So, when can we log into Slashdot with our OpenIDs? Has there been any word on the subject at all from Taco et al?

  • REMOTE_USER (Score:4, Interesting)

    by thanasakis (225405) on Wednesday February 13 2008, @05:46PM (#22411842)
    As long as the openid provider (the party that provides the identity by utilizing an authentication mechanism) can access the the REMOTE_USER env variable or something equivalent, it can perform its duty normally. I think it is really not important whether there is username/password based authentication or PKI authentication using soft tokens or hardware crypto tokens or biometric authentication or one time passwords or whatever else. It is up to the implementor of the service to decide what kind of authentication will be used according to his/her requirements. Using an external authentication mechanism can slightly perplex the situation on how logout is performed (as it is dependent on the auth mechanism) or on how attribute based authorization is being carried out.

    But overall it gives great flexibility to the implementor because he/she can layout a scheme were existing authentication/authorization infrastructures (like an institution's LDAP for example) can be used in a cross platform way to offer web based identity.

  • I worry whenever I see the word 'trust' juxtaposed with OpenID. I worry that organizations will misuse OpenID, and ignore its purpose: only provide an identification for a person, nothing else. It doesn't certify the person's character, background, politics, or financial base. If I say that I am user@server, then OpenID is just a bit of evidence supporting that. That's all.

  • OpenID for non web clients? (Score:3, Interesting)

    by IGnatius T Foobar (4328) on Wednesday February 13 2008, @06:30PM (#22412398) Homepage Journal
    I would like to use OpenID as a "single sign on" solution for a wide range of services. The problem I see right now is that it's only viable for web based services. Does the OpenID technology have a way (or is planning one) to authenticate when the client is something other than a web browser? I'm thinking things like IMAP/SMTP mail, console mode login (ssh/telnet), etc. etc.

    • Re: (Score:3, Insightful)

      by sloth jr (88200)
      Agreed. However, I think in practice, most users use only one or two passwords to login to the vast majority of websites. OpenID thus seems to simply codify this "truism", if I'm on-base. While a centralized password might make mass ownage of websites possible, it should also be simple to shutdown that account across a wide swath of websites more or less instantly.

      sloth jr

      • Re: (Score:3, Interesting)

        by CSMatt (1175471)
        True, but that relies on the original account holder to know that they have been compromised to begin with. Given the amount of identity fraud victims that don't even know that they are victims until it's too late (although I would imagine that number has gone down in recent years with recent awareness of identity fraud), it's not too hard to imagine that there are several account holders online who don't even know that someone has guessed their password, especially if the account holder has abandoned the

    • Re: (Score:3, Insightful)

      by Aladrin (926209)
      And nobody is stopping you from doing that. Get multiple OpenIDs. Get them from different providers, if you like. You can still do it your way while the lazy ones (me included) use single sign-on and makes our lives a little simpler.

      • Re: (Score:3, Interesting)

        by Tony Hoyle (11698)
        The difference is that the person I'm replying to knows I own that OpenID account, rather than me just being a random anonymous person.

        No, it knows nothing. OpenID has no trust, so they could have just visited http://www.jkg.in/openid/ [www.jkg.in] and generated one for that purpose.

        OpenID says zero about who you really are. You are an anonymous user - which is why it would be crazy for a site which previously required registration to allow OpenID users to post simply based on the existence of that token. You're goin

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.