Thursday 14 February 2008

OpenID Developments

The OpenID Foundation recently announced that a significant chunk of the premier league heavyweight tech companies ( Microsoft, Google, IBM, VeriSign, and Yahoo ) were joining their board. This follows hot on the heals of Yahoo and Google's initial implementations that in theory mean that all of their current account holders either have, or can fairly easily have, an OpenID compliant authenticator. There's a long way to go before OpenID based authentication actually becomes mainstream but these announcements mean that OpenID's chances of succeeding are a lot better than they used to be.

A number of us have been wondering when we would start to see a viable hardware based authenticator that would work with OpenID - now at least one vendor has begun to do just that and is selling what appears to be a simple to get and simple to use hardware based token for OpenID. This could be the start of the really interesting stuff. OpenID on it's own does little to resolve phishing style attacks and is no improvement at all over standard username\password authentication in situations where the network is possibly compromised. OpenID tied to CardSpace\InfoCard closes these holes reasonably effectively but both are still quite fragile (in my experience), somewhat tied to specific platforms and hot portability is a bit of a problem (it's definitely a high risk behaviour when it involves un-trusted local hardware).

This type of hardware based authenticator could, if implemented correctly, solve many of the shortcomings listed above. It should share CardSpace\InfoCard's protections against DNS hijacking\Evil Twin type network interception attacks and hash table attacks against intercepted authentication sessions. In addition it should be portable enough that you could use it on any and all systems of your choosing and it should be very resistant to local interception\snooping so that you could possibly use it safely on totally un-trusted local hardware such as PC's in Internet Cafe's.

I also believe that hardware authenticators are likely to be perceived by the public to be much more trustworthy than software solutions, even in situations where both are technically equivalent. This is only based on personal anecdotal evidence but my experience with users of hardware based authentication tokens in the past has been that people trust them far more than software solutions that are technically more robust, and continue to do so even when the weaknesses of the system are demonstrated.

Of course a lot depends on how well designed the specific hardware implementation actually is. For my part I've ordered one of TrustBearer's usb key devices so I can see whether it does deal with these things properly. I'll be posting some more on this once I've had a chance to put it through the ringer a bit.

2 comments:

helvick said...

So Trustbearer's product is a usb token from called the Athena ASEDrive IIIe USB. They provide an OpenID aware browser plugin that handles the id request validation that propmpts you to enter a PIN in order to unlock the token.
It's quite slick - set up and linking my token to my Trustbearer OpenID took all of 10 seconds and that included changing the access PIN.
I'll have to do some more digging but it appears that the Athena smart card systems pretty much do what they say on the tin - the device handles the cryptographic challenge responses using (I hope)non exportable keys and the user just sees a reqest to enter a PIN.

helvick said...

And it works under Linux too - with Ubuntu all that is needed is to run "sudo apt-get install libasedrive-usb" and everything just works. Plug and Play would have been well cool but you can't get much simpler than that.
More to follow once I've figured out how well protected the credentials are and how this device manages the trade off between robustly protecting private keys and allowing for reasonable recovery of accounts in the case of loss or theft but for now I'm well impressed with how this is shaping up.