mailing list archives
Re: OpenID. The future of authentication on the web?
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 23 Mar 2008 19:01:00 -0500
--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer
<Larry () larryseltzer com> wrote:
It's worth pointing out that some OpenID providers are better than
others. An OpenID provider could implement 2-factor authentication, and
ardware/), or other features which could strengthen it.
Yes, but you're still placing your trust, for all the most important
information about yourself, in the hands of a third party. That third
parties reputation relies on being able to deny a breach of their systems,
so their primary motivation would not be to help you solve your problem
but to deny that it was caused by them. Insisting, for example, that you
used the system incorrectly is a favored tactic of providers who offer
similar decoupled authentication schemes.
Given the choice between placing that trust in *one* provider, potentially
exposing everything about myself, I think a system that relies on *me* to
release my information voluntarily when I choose makes more sense from a
security perspective. IOW, it is the owner of the data that should retain
absolute control over that data. (And no, credit card companies don't own
my data. Nor do merchants. I do. They have a responsibility to handle
my data with the utmost care, and if they fail in their duty to protect, I
have the ability to refuse to any longer do business with them.
I understand the attractiveness of not having to remember lots of IDs and
passwords, but when you give up control of your data, you give up control
of your future.
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/