Auto logout? Request re-authentication from the server?
Simon Josefsson
simon at yubico.com
Wed Jul 2 14:45:59 UTC 2008
Hi.
Is there a best practice on how Openid consumers can find out whether
re-authenticating the user, via the OpenID server, once in a while can
lead to improved security?
The security of normal one-time password systems (SecurID, SMS codes,
Yubikeys, ..) can be improved if you ask for a new one-time password
once in a while.
Of course, the OpenID server cannot do this on its own, so it needs to
be initiated by the OpenID consumer, but that will not happen without
clues that it is a good idea to do perform re-authentication.
Thoughts?
Would this be a worthwhile addition to the
openid-provider-authentication-policy-extension document? I'm thinking
that the Response Parameters should include an optional parameter that
imply that a one-time-password system was used, which suggests that the
RP may re-authenticate the user more frequently.
It may be useful to generalize this idea somewhat, but I can't come up
with a better abstraction. Even re-authenticating using password may
improve security in some situations (although I suspect most passwords
are cached by browsers anyway these days). Ideas welcome.
Thanks,
Simon
Btw, this idea originated from discussions on
<http://forum.yubico.com/viewtopic.php?f=9&t=126>.
More information about the specs
mailing list