Links

Ben Laurie blathering


If You Have Cardspace, Why Use OpenID?

Kim Cameron writes about fixing OpenID’s phishing problems by using Cardspace. Certainly I agree that using strong authentication to the OpenID provider fixes the phishing problem – but if you have strong authentication, why bother to use OpenID at all? Why not strongly authenticate to the site you are really trying to log into, instead?

Of course, Cardspace is a pretty heavyweight solution for this, so perhaps that’s what Kim’s getting at? It also doesn’t work well if you have more than one machine – moving your credentials around is not something Cardspace does well.

In my view, there’s a sweeter spot for solving this problem than Cardspace (or OpenID, obviously) – and that is to do strong authentication based purely on a password. That way, you can use the same password everywhere, so no problem with moving between machines, but can still resist phishing attacks and don’t have to make yourself linkable across all sites. Obviously supporting this would be way easier than taking the whole of Cardspace on board, but would have all of the immediate advantages. Clearly it would get you nowhere with advanced identity management, but its not like we don’t already have protocols for that and nor does there seem to be much demand for it yet.

5 Comments »

  1. [...] Ben Laurie proposes using “functions of passwords” rather than plain passwords as a way to avoid phishing:  Kim Cameron writes about fixing [...]

    Pingback by IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer — 25 Feb 2008 @ 21:35

  2. so…if I understand you right, you are suggesting
    - You don’t need OpenID/CardSpace combo since CardSpace by itself can solve the issues of phishing, strong authentication as well as the need of remembering multiple passwords.
    - CardSpace is difficult to support for RPs (heavyweight). Plus it’s not portable.
    - Self-issued infocards/CardSpace has other other benefits. However one of the good ones is PPID (which at the end of the day is a algorithmically generated long password).
    - We can partially address the problem by having long passwords (and convincing sites to accept long passwords). This solution is completely portable. It will work with existing infrastructure. And we can create a one, strong password and use it everywhere (hence avoid password fatigue).

    Brilliant.
    - Ashish

    Comment by Ashish Jain — 25 Feb 2008 @ 22:18

  3. I suppose typing a long password is no harder than typing in a full OpenID but I wonder if users really want to create long passwords (e.g. thewallisgreenwithivyandwisteria). Most users would just store the password and let Firefox, Safari, IE fill it in for them. How is this not susceptible to the normal phishing attacks? I must of missed something.

    Comment by George Fletcher — 26 Feb 2008 @ 16:09

  4. [...] have noticed the exchange between Ben and Kim over the past day or two… Ben made a point that CardSpace makes OpenID redundant – why not just send a password to the RP? Kim jumped all over him – somewhat misinterpreting what [...]

    Pingback by IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer — 28 Feb 2008 @ 6:25

  5. [...] have noticed the exchange between Ben and Kim over the past day or two… Ben made a point that CardSpace makes OpenID redundant – why not just send a password to the RP? Kim jumped all over him – somewhat [...]

    Pingback by CardSpace as a Password Manager « Superpatterns — 18 Sep 2010 @ 0:31

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress

Close
E-mail It