myopenid and cap-key-links instead of passwords

Jens Alfke jens at mooseyard.com
Fri Jan 27 23:49:45 UTC 2006


On 27 Jan '06, at 2:59 PM, David Nicol wrote:

> By using passwords, this SSO system contributes to the password glut
> rather than helping mitigate it more aggressively.

One password is admittedly more than none, but the next time you  
comment to another blog using your OpenID instead of registering  
another account, you're already ahead.

I don't know what OS or browser you use, but most have mechanisms for  
automatically storing and filling in passwords. The Keychain on Mac  
OS X has pretty good security.

> A better system IMO is to use e-mailed tokens to verify identity.  Not
> just at the beginning for e-mail association verification but for  
> sign-in.

Doesn't that beg the question of what you use to authenticate  
yourself to your mail server?

Seriously, emailing magic cookies is not very secure.  It relies  
entirely on the impracticality of watching the traffic. The message  
is sent in the clear, so anyone who can see the packets can trivially  
impersonate that person. Password logins over SSL at least have some  
crypto protecting them.

Not that passwords aren't a problem. But the realistic solutions I've  
heard of tend to involve challenge/response protocols with hardware  
tokens on the user's end (like the CryptoCard™ I have for logging  
into my employer's VPN.)

--Jens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20060127/c3b9da5a/attachment.htm


More information about the yadis mailing list