Tuesday, August 12, 2008

InfoCards & OpenId - Authentication Is Still A Problem

Kim Cameron comments today on a New York Times article on OpenID and Information Cards.

In his blog post, Kim comments that if people just use InfoCards, than phishing attacks for passwords are no longer possible.
When people authenticate to OpenID in a reliable way - for example, by using Information Cards - the phishing attacks are no longer possible, as I explain in this video. At that point, it becomes a safe and convenient way to use a public personna.
Honestly, I don't see why InfoCards is any better with regards to passwords than is OpenID. Both systems allow a provider to issue "authentication" assertions that a web site (relying party) can use.

In Kim's video, he points out that by using his personal "IdentityBlog" I-Card to access the evil web site, no password is provided. If no password is involved, how can the evil web site gain anything useful?

It all sounds wonderful. But Kim skips over the problem of how did he get that card? How was he originally authenticated when the card was issued?

Is the information card periodically refreshed or re-authenticated? If it lasts forever, what happens if the information is lost or copied? What happens if someone else is using his workstation? What happens when the Kim switches workstations? For example, Kim decides to check his CNNPolitics profile from a friend's house? He'll likely have obtain a new card. I suspect that will involve some form of authentication with his managed card provider. It is clear, while InfoCards may reduce the need for authentication and passwords it does not eliminate them.

So if we assume that managed cards require authentication and re-authentication, then those ceremonies will be well placed in the user's experience. What is to stop an evil-doer from simply saying your managed card has expired, please re-authenticate? The ceremony is familiar, so will the user be alerted to something unusal? We are right back to where we started.

Now don't get me wrong. I'm a big fan of both OpenID and InfoCards. I'm just frustrated that one of the key pillars, authentication, is not sufficiently handled by either system.

No comments:

Post a Comment