Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: OpenID. The future of authentication on the web?
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 24 Mar 2008 10:14:05 -0500

--On Sunday, March 23, 2008 20:56:54 -0400 Larry Seltzer 
<Larry () larryseltzer com> wrote:

The correct solution, IMO, would be an encrypted password vault,
stored on a USB drive and only available through the use of a password
and some other form of identification (biometric, etc.)

What about kiosks and other situations where it wouldn't be secure to
allow arbitrary people to insert USB keys?

You allow read-only access to USB keys.

This vault requires a support
system of some kind; does there need to be software on the system to
read it?

Easily done on thumb drives that now contain gigs of memory.

Do you trust that software?

No, but then I don't trust any software.

This also presents the problem of when the user loses the key or if it
fails. They had better have a backup of it. A service doesn't have any
of these problems.

That's a weak excuse for avoiding responsibility.  Technology cannot solve 
every problem.  Nor should it.  At some point *people* have to learn how to 
properly use computers and the internet, just as they had to learn how to 
properly operate and maintain vehicles.

Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]