Hardware Based OpenID Service Available

An anonymous reader writes "TrustBearer Labs has announced a new service that lets you use various hardware based security tokens like smartcards and biometric devices with OpenID. A hardware based connection to OpenID allows higher levels of security and makes it easier for the end-user to control their credentials. OpenID is a decentralized cross-site authentication system that has been gaining momentum for quite a while now with major supporters like AOL, Google and Microsoft already announced."

Anything like verasigns pip?

[dns_server]

I believe this already exists with verasigns pip https://pip.verisignlabs.com/ [verisignlabs.com] . In this you have a hardware key that rotates it's numbers every 30 seconds.

Re:Emulation?

[un1xl0ser]

If the hardware device is any good, it isn't relying on the obscurity of the algorithm as it's security strength. It should be able to stand up to an attack even with a significant (hundreds of thousands) number of known tokens. If that is the case, then you need the seed (IV) of the token you want to impersonate in order to do any damage. That key should be protected like a regular key, and should be resistant to tampering (i.e potted, designed to fail if it is tampered with).

Now most sites that would be doing this will be using SSL with certificates signed by a 'respected' cert provider. If that is the case, the likelihood of getting enough tokens to launch an attack is greatly reduced.

So put away the tin-foil hat. This isn't a MAC address. :-)

Re:Anything like verasigns pip?

[Jeffrey Baker]

That's really not the same at all. With a SmartCard your keys and certs are in your physical control. The key or cert never leaves the card, and crypto operations also are done on the card. With VeriSign, VeriSign enslaves your identity. They own it, and you have to use the RSA token readout to get VeriSign to unlock your identity temporarily. These are fundamentally different operating principles.

Re:Mac ID?

[harningt]

Erm... MAC ID is non-changing... In a simple example of how this works, it does a cryptographic challenge-response so you keep a private key...

Decoupled authentication

[Bogtha]

The is something I was trying to explain the last time OpenID came up on Slashdot. Because authentication isn't done by the websites and web applications themselves, it means users can shop around for an authentication system that suits them, and none of the websites or web applications that you log into need worry about it. If/when OpenID starts to become mainstream, I'd expect to see a lot of interesting work done on authentication. A hardware scheme like this isn't feasible if you have to persuade each individual website and web application provider to implement it.

So, when can we log into Slashdot with our OpenIDs? Has there been any word on the subject at all from Taco et al?

Re:Anything like verasigns pip?

[jbastress]

I'm not sure if you're referring to the TrustBearer Security Token for sale on the site (which is /not/ the only supported device...for example, all US-govt PIV and CAC cards will work), or the PayPal device...but as this seems to be a common misconception, I'd like to clear this up.

The TrustBearer Security Key is a cryptographic device (with drivers on Windows update) that goes in a USB port. It uses asymmetric cryptography to decrypt a nonce sent by the provider to prove that the user owns the public key associated with the account. It is for all practical purposes a smart card and reader combined.

The PayPal/RSA SecureID/Verisign token is a one-time password (OTP) device. It shows a different number every n seconds, which you type in along with your username and password to authenticate. As harningt mentioned in another thread, such devices could in principle be supported by the TrustBearer framework if there was significant demand, but it is currently geared towards asymmetric challenge-response authentication.