[security] strong auth in OpenID

[Pawel Krawczyk]

Hello! I have watched the discussion about phishing for a while and I've
come up with the following thoughts.

First of all, the browser plugin ideas are kind of vodoo. Noone really,
except for security geeks, will use them and noone will treat them
seriously. Customized pictures on OP are good idea, but as an addition -
one of many - and not base of the system's security.

I'm using OpenID right now myself and I find its current security level
enough - enough for some open-source portals, news, forums etc. Risk
analysis says that noone will phish these sites because they can't get
real money from it. That's why I'm using it.

Where the money is are the banks, auction sites and internet shops. They
are being actively phished and they will never, in any case, use a new
authentication scheme that lacks:

* website identity authentication through PKI and SSL
* strong, easy to use and non-phishable authentication

The firs is obvious.

The latter could be either two-factor authentication with hardware
tokens or one-time password lists. It could be also digital signature,
already introduced in some Polish banks.

There has been at least one interesting authentication scheme published,
involving pictures, which was diffictul to phish and easy to use.

I don't think anyone will risk using OpenID if it's security is below
these requirements.

-- 
Paweł Krawczyk, tel: +48 602 776959, fax: +48-12-3982295
icq:269067512, gg:4856478, http://ipsec.pl/podpis_elektroniczny/