[OpenID] FW: two-factor authentication with a bookmark
Recordon, David
drecordon at verisign.com
Wed Feb 7 07:30:23 UTC 2007
So as I said on the ID Gang list, I'm psyched by this proposal. While
not a security guru, it seems like a pretty ingenious twist to this
problem...assuming you're not phished when downloading the bookmark.
--David
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Scott Kveton
Sent: Tuesday, February 06, 2007 12:21 PM
To: general at openid.net
Subject: [OpenID] FW: two-factor authentication with a bookmark
Forwarding from the identity gang list (with Ben's permission) ... Very
cool addition to Simon's thoughts on how to fight phishing. Very cool
Ben.
- Scott
------ Forwarded Message
From: Ben Adida <ben at adida.net>
Reply-To: <idworkshop at googlegroups.com>
Date: Tue, 6 Feb 2007 15:02:39 -0500
To: <idworkshop at googlegroups.com>
Conversation: two-factor authentication with a bookmark
Subject: two-factor authentication with a bookmark
Hi all,
This is likely to get massively overshadowed by all the interesting
activity at the RSA conference, but I thought I'd pass it along anyways.
I've been working on BeamAuth, a two-factor authentication with a
bookmark and a password. The goal is to make it harder to phish an
OpenID user (or any other redirect-based single-sign-on system). The
second goal is to do so without a plugin or other client-side
modification. Basically, any single sign-on provider could deploy this
right away.
It's super simple, and it doesn't change the user's login process much:
they get redirected to their login page normally, and then login
requires first a bookmark click, then a password entry.
(forgetting to click your bookmark at a phishing site is not a big deal:
your bookmark token is not revealed and your password is not enough to
log the adversary in.)
I know JanRain recently implemented a bookmark-based anti-phishing
solution proposed by Simon Willinson. This proposal is a bit different:
the bookmark is more than a server locator, it's also a second
authentication token.
I've posted all the details at:
http://benlog.com/articles/2007/02/06/beamauth-two-factor-web-authentica
tion
-with-a-bookmark/
and there's a demo server at:
http://labs.adida.net/fragtoken/beamauth/
Looking forward to feedback!
-Ben
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "Identity Gang" group.
To post to this group, send email to idworkshop at googlegroups.com To
unsubscribe from this group, send email to
idworkshop-unsubscribe at googlegroups.com
For more options, visit this group at
http://groups-beta.google.com/group/idworkshop?hl=en
-~----------~----~----~----~------~----~------~--~---
------ End of Forwarded Message
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list