myopenid and cap-key-links instead of passwords
Jens Alfke
jens at mooseyard.com
Fri Jan 27 23:49:45 UTC 2006
On 27 Jan '06, at 2:59 PM, David Nicol wrote:
> By using passwords, this SSO system contributes to the password glut
> rather than helping mitigate it more aggressively.
One password is admittedly more than none, but the next time you
comment to another blog using your OpenID instead of registering
another account, you're already ahead.
I don't know what OS or browser you use, but most have mechanisms for
automatically storing and filling in passwords. The Keychain on Mac
OS X has pretty good security.
> A better system IMO is to use e-mailed tokens to verify identity. Not
> just at the beginning for e-mail association verification but for
> sign-in.
Doesn't that beg the question of what you use to authenticate
yourself to your mail server?
Seriously, emailing magic cookies is not very secure. It relies
entirely on the impracticality of watching the traffic. The message
is sent in the clear, so anyone who can see the packets can trivially
impersonate that person. Password logins over SSL at least have some
crypto protecting them.
Not that passwords aren't a problem. But the realistic solutions I've
heard of tend to involve challenge/response protocols with hardware
tokens on the user's end (like the CryptoCard™ I have for logging
into my employer's VPN.)
--Jens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20060127/c3b9da5a/attachment.htm
More information about the yadis
mailing list