[OpenID] Security related Use Cases?

Peter Williams pwilliams at rapattoni.com
Wed Oct 22 16:32:37 UTC 2008


I just don't have any choice, and I can't sit there whining or posturing. My users operate in the same worst scenario "consumer space" as do those using gmail (perhaps not GoogleApps, generally, tho?); the user's PCs are unmanaged, or only semi-managed at best. Our IDPs already cooperate with GoogleApps over SAML2 (so realtors can optin to access its/their gmail/calendar, etc.)

So who is getting phished, really? Us or GoogleApps!! The users will see it as Google (since they just want their "gmail")

Viruses, unmanaged, shared machine = consumer reality.

To date, we address the authentication issue by inviting people to use a 20 year technology- one time passwords from the RSA/securid hardware token. The logic was simple: good enough for CIA? Good enough for our users. Phishing has not been an direct issue to date, as realty uses the PKI/LRA models of enrollment (i.e. offline enrollment/management). In the last 3 years, about 30% of folks have taken up the offer of RSA's securid logon (over ssl) and about the same has been seen in by our competitors (using variant OTP devices).

As an SAAS outsourcer (formally), we have to respect when our SAAS customer says: it's not an issue. The critical thing, as any CISSP knows, is to educate folks on the threats, and work with them to find their own risk mitigation model - that fits their budget. In many cases, that budget was set at $0. But then, the service they are buying is only a few dollars a month... so it's hard to justify $1 in auth, for $10 in service.

To bring down the cost (50% said they could not ever imagine justifying even $1 a month for the RSA token), we have finally decided to offer the site seal and anti-fraud techniques the online banks use. The logic is even simpler than the CIA logic: if you the consumer are willing to use it YOUR online banking, you can use the same stuff here. We even joined the RSA efraudNetwork (so certain facts about the phishing detected/suspected on one bank's system are signaled to all the others in the net.)

Then, you have to consider what impact websso has on the user (SAML2 or OpenID, it makes precious little difference). So, far, and we are 2 years into the websso program, we have very little pushback from people. They beg for the "solve the multi-password" problem" and see SSO as it, with a little local trust magic thrown in for good measure. Whether a given community wants the eFraud benefits (and its spying/correlation sideeffects), whether they prefer hardware tokens..., or they do absolutely nothing (50%) is all up to them.

Not everything has to be magic "consistent UI". It can be expert systems, and/or hardware, and/or good old fashioned 100 year old brick offices with real staff, in 300 cities (the realty way).

But then, I only get to deal these days with 1,000,000 people scale problems - in those 300 cities. Google has bigger issues, and larger scale. Google's internal free food budget is also larger than the entire revenue of the realty auth+service market, too!


-----Original Message-----
From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
Sent: Wednesday, October 22, 2008 8:54 AM
To: Ben Laurie
Cc: Peter Williams; general at openid.net
Subject: Re: [OpenID] Security related Use Cases?

>>  don't stop. I have 15% of users sitting at shared PCs, using a shared
>>  account and shared cookie jar, on a win98-era LAN. (Thus, Yahoo-based
>>  machine-based auth is out of the question.) If they are lucky, the machine
>>  is "modern": its running XP home edition, unpatched, with no virus checking.
>
>OK, so you're OK with your users getting phished - that's your problem.

Peter has a large enough user base that I consider it roughly
representative of the global userbase (a rule, not an exception). We
don't know the exact percentage but we can be reasonably certain that
(as an absolute numerical amount) it's more than just Peter's users
here. This sort of thing hinders adoption, and that makes it "our"
(as in, the OpenID community's) problem rather than "Peter's" problem.

-Shade



More information about the general mailing list