Comments on: More sign-ups for OpenID http://www.mikeandrews.com/2008/01/20/more-sign-ups-for-openid/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Web Worker Daily » Archive OpenID: A Contrarian View « http://www.mikeandrews.com/2008/01/20/more-sign-ups-for-openid/comment-page-1/#comment-164 Web Worker Daily » Archive OpenID: A Contrarian View « Wed, 21 May 2008 18:00:34 +0000 http://www.mikeandrews.com/2008/01/20/more-sign-ups-for-openid/#comment-164 [...] don’t trust it: This has been discussed extensively elsewhere, and there’s been more heat than light thrown on the issues. But my own [...] [...] don’t trust it: This has been discussed extensively elsewhere, and there’s been more heat than light thrown on the issues. But my own [...]

]]> By: Mike http://www.mikeandrews.com/2008/01/20/more-sign-ups-for-openid/comment-page-1/#comment-10 Mike Wed, 23 Jan 2008 03:56:45 +0000 http://www.mikeandrews.com/2008/01/20/more-sign-ups-for-openid/#comment-10 Thanks for th info Steve. I've not seen the seatbelt plugin, and to be fair it doesnt give that many details on the page(s), but I still can't see how it can protect from, say, a phishing site tricking a user to enter in creds to it's own authentication providor. I'll have to look into it a bit deeper. Nice to see that there's a single sign-on solution that is using 2nd factor auth. I though there must be one out there somewhere, but not being a PayPal or eBay customer, I've not come across this yet. Anyone else with any examples? Thanks for th info Steve. I’ve not seen the seatbelt plugin, and to be fair it doesnt give that many details on the page(s), but I still can’t see how it can protect from, say, a phishing site tricking a user to enter in creds to it’s own authentication providor. I’ll have to look into it a bit deeper.

Nice to see that there’s a single sign-on solution that is using 2nd factor auth. I though there must be one out there somewhere, but not being a PayPal or eBay customer, I’ve not come across this yet. Anyone else with any examples?

]]> By: Steve Pinkham http://www.mikeandrews.com/2008/01/20/more-sign-ups-for-openid/comment-page-1/#comment-4 Steve Pinkham Mon, 21 Jan 2008 21:20:02 +0000 http://www.mikeandrews.com/2008/01/20/more-sign-ups-for-openid/#comment-4 VeriSign is doing some cool work with OpenID that addresses both the issues you have. Seatbelt is a Firefox Extension that does an excellent job of addressing the phishing / MITM problems of OpenID by federating the login process. See <a href="https://pip.verisignlabs.com/seatbelt.do" rel="nofollow">https://pip.verisignlabs.com/seatbelt.do</a>https://pip.verisignlabs.com/seatbelt.do for (slightly) more information. It works with other OpenID providers, but defaults to VeriSign's service. The only downside I've found so far is it adds a HTTP header to ALL your traffic, which looks like this: X-OPENID-ANTI-PHISHING: VeriSign's OpenID SeatBelt/1.0.0.3325 If a vulnerability is found in the plugin, it's easy to pick out the vulnerable surfers to your website. Also, they offer a keyfob or credit form factor token which acts as a strong second factor for authentication. It's available for $5 through PayPal, and will work with Ebay, PayPal and/or VeriSign's OpenID service. More information on the tokens is available at <a>https://idprotect.verisign.com/learnmore.v</a> and <a href="https://www.paypal.com/securitykey" rel="nofollow">https://www.paypal.com/securitykey.</a> VeriSign will also take $30 for you for a purple cased version of the same token if you wish... The combination of the above makes me feel quite comfortable using OpenID, in preference to most any other login scheme currently available. Hopefully plugins or native functionality similar to SeatBelt will appear for Opera, IE, and Safari, extending the plausibility of using OpenID in a secure manner everywhere. VeriSign is doing some cool work with OpenID that addresses both the issues you have.
Seatbelt is a Firefox Extension that does an excellent job of addressing the phishing / MITM problems of OpenID by federating the login process.
See https://pip.verisignlabs.com/seatbelt.dohttps://pip.verisignlabs.com/seatbelt.do for (slightly) more information.
It works with other OpenID providers, but defaults to VeriSign’s service. The only downside I’ve found so far is it adds a HTTP header to ALL your traffic, which looks like this:
X-OPENID-ANTI-PHISHING: VeriSign’s OpenID SeatBelt/1.0.0.3325
If a vulnerability is found in the plugin, it’s easy to pick out the vulnerable surfers to your website.
Also, they offer a keyfob or credit form factor token which acts as a strong second factor for authentication. It’s available for $5 through PayPal, and will work with Ebay, PayPal and/or VeriSign’s OpenID service.
More information on the tokens is available at https://idprotect.verisign.com/learnmore.v
and https://www.paypal.com/securitykey.
VeriSign will also take $30 for you for a purple cased version of the same token if you wish…
The combination of the above makes me feel quite comfortable using OpenID, in preference to most any other login scheme currently available. Hopefully plugins or native functionality similar to SeatBelt will appear for Opera, IE, and Safari, extending the plausibility of using OpenID in a secure manner everywhere.

]]>