[OpenID] Google Removes Relying Party Pre-Registration
Nick Owen
nowen at wikidsystems.com
Wed Nov 5 13:27:04 UTC 2008
Steven Livingstone-Perez wrote:
> Random thought – and no expert in this - but if the client had some
> code that used a well known time-based algorithm to generate a unique
> token/pin and combined it with a selected OpenID (i.e. the token
> generated +openid in the next 60 secs will be the same as the token
> generated at a remote location + openid) then could that not be used as
> the basis of oAuth requests?
>
> I have seen secure token for years which automates this [1] but maybe
> through things such as Google gears (which I have on my pda) it would be
> possible to provide some simple signed code that could manage this so
> any client browser, application etc just makes a call (which **if**
> really desired could itself be password protected on the client device)
> and then you don’t need to remember any PIN – all the user needs to do
> is select the OpenID to use and the “pin” is auto-generated for your device.
>
> I haven’t thought through all the detail, just wanted to see if anyone
> had considered this technique?
Time-based OTP generation systems suffer from clock drift - how do you
handle differences in clocks across disparate systems? Commercial token
systems have a method of prompting for future valid passcodes to
maintain a drift setting for each user. It's doable, but certainly
harder than it looks on the surface.
There is no doubt that adding two-factor authentication would add
security. While your at is, why not add mutual https authentication to
the openid URL to stop network-based MITM attacks? That way you prevent
the phishing of OpenID credentials and you get 2FA for the session.
http://en.wikipedia.org/wiki/Mutual_authentication
nick
--
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Open-source Two-Factor Authentication
More information about the general
mailing list