Thursday, July 19, 2007

Finally, an OpenID provider that takes Information Cards as authentication

I don't know why this took so long to surface.  And maybe it just took a while to discover.  But honestly I don't know why there is only one service (that I can find) that offers this.  It's the perfect combination of phishing protection and usefulness in single sign-on that will make the web significantly safer.

Without going into a whole history of OpenID and InfoCard (aka Windows CardSpace as part of .NET 3.0), let me just draw the problem and solution for you.  OpenID is open to a variety of phishing attacks that are especially dangerous because "one login to rule them all", once stolen, can become as useful to the phisher (and dangerous for you) as the One Ring in the wrong hands.  All your sites immediately open up to the phisher of just one login.  What makes this especially precarious is that OpenID relies on the site taking your OpenID to redirect you to your own OpenID provider -- something that could be spoofed pretty easily so the site itself can steal your credentials.

Some OpenID providers (such as www.myopenid.com) have mitigated this threat by starting to place browser cookies on your computer so that if you don't see a picture you chose on your login screen then you have reason to be suspicious.  In my opinion, not good enough. 

Enter InfoCard: Microsoft's completely open and decentralized authentication solution that is completely phishing-proof because there are no credentials to steal.  If someone lured you into using your InfoCard on their phishing site, all they would get is a random series of characters from your InfoCard that they would find completely unhelpful in masquerading as you on other sites.

The problem with InfoCard is that there are (to date) almost no sites out there that accept InfoCard logins.  OpenID has a few hundred site lead on InfoCard.  So by combining these two technologies, you get the protection of InfoCard with the widerspread adoption of OpenID. 

All that has to be done is use an OpenID provider that accepts InfoCard as your login credentials.  Instead of the one username/password pair that you use at your OpenID provider to login, that could be stolen, you would just submit your InfoCard and you're in.  If someone who wasn't your OpenID provider was pretending to be, they wouldn't be any closer to masquerading as you.

So which OpenID providers have offered this elegant solution?  Just one that I can find: www.signon.com.  Hurrah for leading the way!  I'm switching my OpenID from MyOpenID.com to signon.com just for the InfoCard.  (Besides, it's faster to sign-on with a couple of InfoCard clicks than to type out a username and password).

Kim Cameron maintains an identity blog and discusses the theory behind combining these technologies if you want a more in-depth read.  I suggest adding Kim to your RSS feed.

For the record, I'd personally prefer to see all sites take InfoCard directly.  It would speed things up a bit.  But what I really want are Information Cards for my credit cards so I can transact business online without revealing my credit card numbers to every merchant.

No comments:

Post a Comment