Effects of OpenID or similar standards
David-Sarah Hopwood
david-sarah at jacaranda.org
Tue Nov 3 15:41:52 EST 2009
Taral wrote:
> On Mon, Nov 2, 2009 at 5:41 PM, Jerry Leichter <leichter at lrw.com> wrote:
>> The trend is for this to get worse, with
>> network-wide shared authentication via OpenID or whatever other standard
>> catches on.
>
> Not to derail this, but OpenID is flexible enough to permit
> fine-grained authentication as well as non-password-based
> authentication (e.g. smart card) and multi-factor authentication.
It's unlikely to be used that way except in a small minority of cases.
Jerry is absolutely correct that the practical result will be that most
users of OpenID will become more vulnerable to compromise of a single
password. This will only increase the value of several kinds of attack
(phishing, exploiting client security flaws, XSS, CSRF). I bet that
attackers are rubbing their hands in anticipation.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20091103/a7569637/attachment.pgp>
More information about the cryptography
mailing list