Getting authentication strength when accepting OpenID

[Dennis Gearon]

I would like to hear some small discussion on an idea/request that I have for the openID spec.

When validating with an openID source/server (not uup to speed on architecture of openID yet), part of what gets returned is the following data:

A/ A standardized authentication-difficulty rating from the site validating the user. I.E., If my password at yahoo is only 6 characters long, and Yahoo accepts it, yahoo still runs an openID lib procedure against the password when it's created and some standard values get returned, i.e.:

   weak
   OK
   strong
   exceptional.

B/ A second field saying whether multiple tokens were used, such as:

   one time pad rotating code key fobs
   password and drop of blood
   password and handprint
   et. al.

OR, it could send a value saying it meets certain standards out there, if there are any. Maybe setting standards would be a good idea!!! I bet the military has some. Apparently, congressmen and others aren't required to use them on their email/social site accounts ;-)




Dennis Gearon

Signature Warning
----------------
EARTH has a Right To Life,
  otherwise we all die.

Read 'Hot, Flat, and Crowded'
Laugh at http://www.yert.com/film.php