Strong Authencation (was [PROPOSAL] authentication age
Martin Atkins
mart at degeneration.co.uk
Fri Oct 6 16:58:09 UTC 2006
Chris Drake wrote:
> Hi All,
>
> 1. Amazon asks the IdP "Please assert this user is not a Robot"
> How can it trust this occurred?
>
> 2. Amazon asks the IdP "Please re-authenticate this user, via
> two-factor, two-way strong authentication"
> How can it trust *this* occurred?
>
> The IdP can *say* it did, but would RPs prefer a "stronger" role to
> encourage adoption? (eg: #1 - the RP provides the captcha, and the
> hash of the solution, while the IdP returns the solution, or #2 - the
> RP provides a nonce and later looks for this nonce in the IdP's
> also-signed-by-the-authentication-vendor-technology response)
>
> i.e.: It might get ugly to try and add this stuff in later if we've
> not catered up-front for these kinds of interchanges.
>
These use-cases seem like a good one, in that it's something that's
actually *verifiable*, rather than relying on a trust relationship that
probably doesn't exist between RP and IdP.
I still don't think this should be in the core spec — core OpenID Auth
should be simple — but we should make sure that it's possible to add it
via extension and if it isn't adjust the way extensions work to make it
possible.
More information about the specs
mailing list