Auto logout? Request re-authentication from the server?
Dick Hardt
dick at sxip.com
Wed Jul 2 16:23:13 UTC 2008
One parameter of PAPE was allowing the RP to specify how long it had
been since the OP had authenticated the user.
There is a PAPE working group right now, if you were interested in
looking at how your suggestions would be incorporated, I am sure they
would welcome you to the group.
I've cc'ed Mike Jones who is one of the people driving PAPE
-- Dick
On 2-Jul-08, at 7:45 AM, Simon Josefsson wrote:
> Hi.
>
> Is there a best practice on how Openid consumers can find out whether
> re-authenticating the user, via the OpenID server, once in a while can
> lead to improved security?
>
> The security of normal one-time password systems (SecurID, SMS codes,
> Yubikeys, ..) can be improved if you ask for a new one-time password
> once in a while.
>
> Of course, the OpenID server cannot do this on its own, so it needs to
> be initiated by the OpenID consumer, but that will not happen without
> clues that it is a good idea to do perform re-authentication.
>
> Thoughts?
>
> Would this be a worthwhile addition to the
> openid-provider-authentication-policy-extension document? I'm
> thinking
> that the Response Parameters should include an optional parameter that
> imply that a one-time-password system was used, which suggests that
> the
> RP may re-authenticate the user more frequently.
>
> It may be useful to generalize this idea somewhat, but I can't come up
> with a better abstraction. Even re-authenticating using password may
> improve security in some situations (although I suspect most passwords
> are cached by browsers anyway these days). Ideas welcome.
>
> Thanks,
> Simon
>
> Btw, this idea originated from discussions on
> <http://forum.yubico.com/viewtopic.php?f=9&t=126>.
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
More information about the specs
mailing list