Hardware Based OpenID Service Available 119
An anonymous reader writes "TrustBearer Labs has announced a new service that lets you use various hardware based security tokens like smartcards and biometric devices with OpenID. A hardware based connection to OpenID allows higher levels of security and makes it easier for the end-user to control their credentials. OpenID is a decentralized cross-site authentication system that has been gaining momentum for quite a while now with major supporters like AOL, Google and Microsoft already announced."
Anything like verasigns pip? (Score:2, Informative)
Re:Emulation? (Score:3, Informative)
Now most sites that would be doing this will be using SSL with certificates signed by a 'respected' cert provider. If that is the case, the likelihood of getting enough tokens to launch an attack is greatly reduced.
So put away the tin-foil hat. This isn't a MAC address.
Re:Anything like verasigns pip? (Score:5, Informative)
Re:Mac ID? (Score:2, Informative)
Decoupled authentication (Score:5, Informative)
The is something I was trying to explain the last time OpenID came up on Slashdot. Because authentication isn't done by the websites and web applications themselves, it means users can shop around for an authentication system that suits them, and none of the websites or web applications that you log into need worry about it. If/when OpenID starts to become mainstream, I'd expect to see a lot of interesting work done on authentication. A hardware scheme like this isn't feasible if you have to persuade each individual website and web application provider to implement it.
So, when can we log into Slashdot with our OpenIDs? Has there been any word on the subject at all from Taco et al?
Re:Anything like verasigns pip? (Score:2, Informative)
I'm not sure if you're referring to the TrustBearer Security Token for sale on the site (which is /not/ the only supported device...for example, all US-govt PIV and CAC cards will work), or the PayPal device...but as this seems to be a common misconception, I'd like to clear this up.
The TrustBearer Security Key is a cryptographic device (with drivers on Windows update) that goes in a USB port. It uses asymmetric cryptography to decrypt a nonce sent by the provider to prove that the user owns the public key associated with the account. It is for all practical purposes a smart card and reader combined.
The PayPal/RSA SecureID/Verisign token is a one-time password (OTP) device. It shows a different number every n seconds, which you type in along with your username and password to authenticate. As harningt mentioned in another thread, such devices could in principle be supported by the TrustBearer framework if there was significant demand, but it is currently geared towards asymmetric challenge-response authentication.