Getting authentication strength when accepting OpenID

[David Recordon]

Hey Dennis, take a look at the Provider Authentication Policy Exchange
extension as it's meant to provide some of this sort of information.
It is a bit more abstract then what you're describing, but has been
used successfully for similar needs

http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html

--David


On Sun, Aug 15, 2010 at 10:08 PM, Dennis Gearon <gearond at sbcglobal.net> wrote:
> I would like to hear some small discussion on an idea/request that I have for the openID spec.
>
> When validating with an openID source/server (not uup to speed on architecture of openID yet), part of what gets returned is the following data:
>
> A/ A standardized authentication-difficulty rating from the site validating the user. I.E., If my password at yahoo is only 6 characters long, and Yahoo accepts it, yahoo still runs an openID lib procedure against the password when it's created and some standard values get returned, i.e.:
>
>    weak
>    OK
>    strong
>    exceptional.
>
> B/ A second field saying whether multiple tokens were used, such as:
>
>    one time pad rotating code key fobs
>    password and drop of blood
>    password and handprint
>    et. al.
>
> OR, it could send a value saying it meets certain standards out there, if there are any. Maybe setting standards would be a good idea!!! I bet the military has some. Apparently, congressmen and others aren't required to use them on their email/social site accounts ;-)
>
>
>
>
> Dennis Gearon
>
> Signature Warning
> ----------------
> EARTH has a Right To Life,
>   otherwise we all die.
>
> Read 'Hot, Flat, and Crowded'
> Laugh at http://www.yert.com/film.php
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>