[OpenID] OpenID and SSO

Eric Norman ejnorman at doit.wisc.edu
Sat Jun 28 01:20:14 UTC 2008 

On Jun 27, 2008, at 2:30 PM, Dick Hardt wrote:

>
> On 27-Jun-08, at 12:25 PM, Eric Norman wrote:
>
>>
>> On Jun 27, 2008, at 9:25 AM, Dick Hardt wrote:
>>
>>> *if* the RP remembers the user's OpenID the first time they visit the
>>> site and the user only uses one OpenID on the site, then when the 
>>> user
>>> returns, and if the RP autofills the OpenID in the form, then the 
>>> user
>>> just has to click the submit button to login (assuming they have a
>>> valid session at their OP and their OP is configured to automatically
>>> login to that RP
>>>
>>> Lots of assumptions in this flow, definitely room for improvement.
>>>
>>> Question: do people think improving this is important?
>>
>> Well, I certainly think that the fewer actions that a user has
>> to perform, whether they by physical (e.g. clicking) or cognitive
>> (e.g. remembering), then the more riskier and less safer the login
>> process is from the point of view of security.  This does assume
>> that the user has close to an accurate understanding of the action
>> she is about to perform.  The latter is a lot more difficult to
>> effect then most with geek training believe.
>>
>> To reiterate, the main point here is that fewer user actions
>> imply less safety.
>
> Interesting logic. Does that mean that more actions is more safety?

In general, yes. although it does depend on the difficulty that a
user has either comprehending or performing the actions.

Consider the holy triumvirate that folks like to quote about
"something you ...".  Translate each one as "something you have
to do" (an action, e.g. remember something;  pull out and show
something).  Then more actions are really just another way of
having multi-factor; that's the point of view I have.

>  Would the security of each action not be relevant?

I can't answer that unless I have a metric to measure "security".

> Is "asasasasasasasasasasasasasasasasasas" a better password then 
> "6 at h." because there are more keystrokes?

Sure it is -- lots better, but not directly because of the keystrokes.
Is there some metric that says otherwise?

> If you make the user jump through a bunch of hoops each time they 
> authenticate, they strive to make their life simpler, not more secure.

Methinks user will strive to make their life easier regardless.
The trick is to find a balance between easy living and security.
And don't assume that I mean to imply automation and transparency
are always the answer.  Sometimes they're appropriate, sometimes
not.  That's part of the balance problem.

Eric Norman

More information about the general mailing list