Submitted by ObiJan (not verified) on 17 February, 2008 - 18:54.
Discussions like this are always a “headdesk” moment for me.
The discussion so far:
- OpenId is cool!
- Yeah, but somebody could phish a login!
- Well, you can use a client cert instead
- Yeah, but thats too complicated for users; they don’t want to install client software!
So the solution is…. a password manager installed on the client?
I really don’t understand how pressing “Accept Certificate” in a browser (IE or Firefox or derivates) is more complex then downloading and installing an “exe” or whatever.
As for the phising:
The basic premise of OpenId is that the USER is in control of the security level he wants. You want a simple username and password? Ok. You want a juggling monkey that randomly accepts request? Ok too?
Or do you want a totally secure client cert that is linked to a secure https cert, which cannot be faked, even with DNS poisoning? No problem!
Or do you want to authenticate with separate secure hardware device that takes a PIN and outputs a one-time access number? No problem, you can get one for less than the price of a big pizza at Paypal or Verisign.
I would also like to point out that currently the OpenId provider I am using has a higher security level than the bank I am using.
Makes you think, no?
Closing remark: OpenId also has some good solutions that do no require captchas.
Can't have it both ways!
Discussions like this are always a “headdesk” moment for me.
The discussion so far: - OpenId is cool! - Yeah, but somebody could phish a login! - Well, you can use a client cert instead - Yeah, but thats too complicated for users; they don’t want to install client software!
So the solution is…. a password manager installed on the client?
I really don’t understand how pressing “Accept Certificate” in a browser (IE or Firefox or derivates) is more complex then downloading and installing an “exe” or whatever.
As for the phising: The basic premise of OpenId is that the USER is in control of the security level he wants. You want a simple username and password? Ok. You want a juggling monkey that randomly accepts request? Ok too?
Or do you want a totally secure client cert that is linked to a secure https cert, which cannot be faked, even with DNS poisoning? No problem!
Or do you want to authenticate with separate secure hardware device that takes a PIN and outputs a one-time access number? No problem, you can get one for less than the price of a big pizza at Paypal or Verisign.
I would also like to point out that currently the OpenId provider I am using has a higher security level than the bank I am using.
Makes you think, no?
Closing remark: OpenId also has some good solutions that do no require captchas.