[OpenID] 2-Headed OpenID Auth for Increased Security?
David Recordon
drecordon at sixapart.com
Sat Nov 29 20:18:10 UTC 2008
Hey David,
I'd imagine that if someone like banks were to accept OpenID logins
there would be some form of whitelisting/accreditations of OPs to help
mitigate this sort of problem. Dick's talked about approaches like
this in the past, two identifiers and a public/private key, though I
personally think it's a bit out of scope for OpenID right now. XRDS
currently supports the ability to list multiple OPs so I'd imagine you
could build this type of setup using it.
--David
On Nov 29, 2008, at 10:41 AM, David Fuelling wrote:
> Hey List,
>
> I've been thinking about the security of OpenID lately, dreaming
> about the day when I'll be able to use OpenID at my bank's website.
> One issue that I keep coming back to is that my OP (or a rogue
> employee at my OP) could masquerade as me at OpenID-enabled RP's
> across the web since the OP is a single authentication point in the
> OpenID ecosystem.
>
> To mitigate this problem, one idea I have would be to utilize a 2-
> headed OpenID auth scheme, whereby a "higher security" RP (like my
> bank) would require OpenID authentication assertions from two
> separate OP's. This would preclude somebody at OP #1 from
> masquerading as me, since any RP would require a second auth from a
> different OP, outside the control of the first OP.
>
> On the face of it all, this approach would seem to require two
> different OpenIDs (one for each OP). However, using Yadis/XRDS, one
> could specify a primary and secondary OP for a particular OpenID.
> Assuming that the user is logged-in to both OP's, this dual-auth may
> even go un-noticed by the user. Of course, an RP could also just
> allow the user to select two different OP's to use for auth
> assertions at login time.
>
> I suppose there are several ways to make this happen, but I'd
> appreciate any feedback on this idea...
>
> Thanks!
>
> David
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list