Ah joy. It’s 12:31 AM of Sunday morning, hence i shouldn’t be blogging: but I like the news, and it will take just a minute.
Back in June I blogged about SignOn.com, an openID provider that allows you to authenticate using personal cards side by side with traditional password support. In fact, while I was super happy to see the openID-CardSpace starting to deliver I “complained” that the password was still a necessary step for setting up an account. IMHO (and only IMHO): a system is as secure as its weakest link; and while it’s real handy to be able to use information cards for authenticating, as long as there is a chance to access the same account via shared secret I am vulnerable to the typical attacks associated to that. Say that somebody calls me and convinces me to reveal my username & password: my accounts is compromised, regardless of the fact that it has infrastructure in place for supporting CardSpace as well. Again: I recognize that going pure card-based authentication is a bold step, and that for acceptance is absolutely reasonable to offer both methods. Back in June I applauded the SignOn guys for their work, and I maintain that position today.
MyOpenID does exactly what I was asking for: it allows me to create a new openid without having to establish any password. Let me repeat/rephrase it: I can create an account that can be accessed exclusively by using a personal card. That means that phishers can call me, or pretend to be the myopenid site, until they are blue in the face: by those attack venues they are not going to learn how to sign with the private key that my personal card uses for signing tokens for myopenid. Since it is that very ability that is assessed at authentication time… BINGO 🙂
Ah guys, if you would have come out just few months earlier we would have included you in the book 🙂 great job!