[Full-disclosure] OpenID. The future of authentication on the web?
Paul Schmehl
pauls at utdallas.edu
Sun Mar 23 23:53:10 GMT 2008
--On March 23, 2008 4:16:28 PM -0700 Steven Rakick
<stevenrakick at yahoo.com> wrote:
> Many of you have brought up that OpenID is vulnerable
> to phishing and have highlighted weaknesses specific
> traditional username/password authentication.
>
> This was the main reason I bought up Information Cards
> in my original post. I've noticed that Beemba
> (http://www.beemba.com) and MyOpenID
> (http://www.myopenid.com) have both implemented
> Information Cards as an authentication option.
>
> Good idea?
>
> It seems to me that if you were to rely on Information
> Cards as opposed to username/password the phishing
> angle is mitigated. Is this not the case?
>
Beemba doesn't appear to have any online FAQ or help. MyOpenID points to
further information which leads to this:
"With OpenID, you don’t have to sign up and create a new account for
each site that supports OpenID – you can just use the identity you
already have. Hundreds of millions of OpenIDs already exist, and it is
likely that you already have one from a service you use."
Nice to know that someone is creating identities for me without my
knowledge. With an ethical stance like that, why should I trust them to
make my ID secure as well?
I don't see any information at all about Information Cards. Perhaps you
could provide a link?
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
Full-Disclosure is hosted and sponsored by Secunia.