Category Archives: Information Card

A good question indeed

Mark Dixon responds to this Dave Kearns article comparing passwords to buggy whips by posing a very good question:

The big question is, “Replace username/password with what?”

I personally like the use of secure certificates, as illustrated in Henry Story’s use of certificates in his demonstration iPhone app I blogged about recently.  However, the mechanism for distributing, installing and managing such credentials for ordinary computer users seems like a daunting task.  I also personally like the Information Card concept, at least for the conceptual metaphor it uses.  But that isn’t a raging success and this technique is certainly burdened by its own challenges.

This is a question that is not asked enough, much less sufficiently answered. All of the competing approaches suffer from drawbacks that make them less acceptable in many cases.

Like Mark I also think highly of certificates as the solution. But there are significant lifecycle deployment issues that are too daunting for most users. There is also another issue that does not get enough attention, physical security. When using a certificate you are really dependent on the physical security of the container holding the private key. If it’s a smart phone in your possession, great. If it’s a laptop in your possession, also great. If it’s a beige box sitting unsecured in your cubicle while you are at lunch, not so great.

Information Cards are a good solution, but also suffer from the same physical security issues. Of course the card can be PIN protected, but a PIN is really just another password (albeit a local one) and now you get into some of the same issues as with passwords, for example the PIN for less frequently used cards written on a yellow stick attached to the monitor.

Biometrics is a hot area of research now. It seems every week some new breakthrough in earlobe recognition or some other phrenological magic is announced. But as of yet there are just too many problems with biometrics to displace passwords.

If cost is no issue OTP devices are a great way to go. But cost is always an issue.

Password authentication is like an impressionistic painting. The farther you move away from it, the better it starts to look.

What hasn’t been said about the Palin email hack

I don’t blog about politics, although sometimes I blog about things that are intertwined with politics. The Palin email hack is one of those things that are fascinating on technical and social levels. Socially, as a libertarian with no party affiliation, I find it interesting to watch the outrage of the normally surveillance happy right wing paired with the non-caring of the normally privacy fanatical left.

Technically a lot of good summaries have been written about how the hack shows the weakness of knowledge based authentication. Mark Diodotti of Burton has particularly well written piece about it here. But there are several aspects of this that haven’t, so far as I am aware, been brought up.

First, this is usually described as a hack into Palin’s email account. That is true, but understates the depth of the problem. What was actually hacked was Palin’s Yahoo account which grants access to a number of Yahoo services including email. Another service is OpenID. The hacker would not only have obtained access to Palin’s email, but also every OpenID enabled account for which Palin had used Yahoo as the identity provider. In fairness this is no different that if an IdP password is compromised for SAML or  InfoCard (except self-issued cards), but is does point out the down side to federation.

Second, the vulnerability was not in the primary means of authentication (password), but in the secondary means of authentication (forgot password). The lesson here is that security is chain that is only as strong as its weakest link. If the secondary means of authentication was made stronger you might still need to worry about the tertiary means, which in many systems involves calling a support number and convincing them you are the right person. In many cases that’s not a terribly difficult process if you have enough personal information about someone.

Third, security has to match expected use. That is really the story here. I have a Yahoo email account, but there is no reason to expect anyone to attempt to compromise using the same methods because there is no value to it. Security not through obscurity but lack of motivation. Palin elevated the value of hacking Yahoo by using it for official business (or at least appearing to).  That’s not so say she wouldn’t have been a target, like many celebrities are, even if she had only an obviously personal email address, but she unwisely made a very inviting target.

So what are the lessons here?

In federation the security of all the relying parties is only secure as the least secure alternate means of authentication at the identity provider.

As a consumer we must be cautious of elevating the value of an identity provider beyond what is was designed for. This can happen because of social factors (as in Palin’s case) or by using it as a federated identity provider for a higher value relying party.

OpenID, Information Cards, and Passwords

The recent article by Randall Stross in the NYT is getting a lot of attention in the identisphere. Kim Cameron writes about it here, Axel Nennker writes about it here, and Dave Kearns writes about it here.

While this is a very good article about the issues involved in OpenID, Information Cards, and Passwords, there are a couple points, good and bad, that I would like to highlight:

I once felt ashamed about failing to follow best practices for password selection – but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.

That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).

I couldn’t agree more. Perhaps no bit of outdated computer advice is more regularly given out than this. Experts continually tell us that to be safe we need overly complex passwords. All this does is force the user into bad security practices.

But there is another side to this that the article doesn’t mention. It doesn’t matter how secure the authentication is if the subsequent web session is not secure. If the session can be hijacked post authentication using cross-site scripting attacks or plain old packet sniffing, the authentication mechanism doesn’t matter.

The author makes some good points about OpenID, but I feel missing the mark with this:

Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.

Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.

I would argue that liability has little to do with it. The big OpenID providers don’t act as relying parties because they are fighting each other to be the dominant identity provider. They see being the identity provider as the key to drive more traffic to their site, which brings more advertising revenue. It’s a land grab pure and simple.

On Information Cards the author does make a point I have made on many occasions in the past, using Self-Issue Cards is really authenticating the computer and not the user:

BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.

“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.

Of course the users can PIN protect their self-issued cards. But history has shown that most wont.

Problem between keyboard and seat

Axel Nennker points out that the supposed “Cardspace Hack” is still floating around the old media. He allows the issue is not really a Cardspace security hole, but a problem between the keyboards and seats at Ruhr University Bochum:

A while ago two students, Xuan Chen and Christoph Löhr, from Ruhr University Bochum claimed to have “broken” CardSpace. There were some blog reactions to this claim. The authoritative one of course is from Kim.

Today I browsed through a magazine lying on the desk of a colleague of mine. This magazine with the promising title “IT-Security” repeats the false claim and reports that the students proved that CardSpace has severe security flaws… Well, when you switch off all security mechanism then, yes, there are security flaws (The security researcher in front of the computer).

Sort of what developers like me call an ID10T error.

Update: speaking of ID10T errors, I originally mistyped Axel’s name as Alex. My apologies.

Age verification information cards

Mike Jones has this interesting post about an age verification service based on information cards from Idology. Although not yet available for use, this service does look intriguing.

A small bit of irony

If you want to leave a comment on the Information Card Foundation blog, you can log in with OpenID but not an Information Card. Hopefully that is in the works.

Interesting times in InfoCard land

Burton Catalyst is going on this week and as usual there are more identity happenings that a poor blogger like me can keep up with. Unfortunately I am not attending this year which makes it even harder to keep up (this first one I have missed in a while).

One big news item was the announcement of the Information Card Foundation. You can read about it here, here, here, here, and here.

Another big item was the announcement about Microsoft HealthVault supporting not only Information Card authentication, but OpenID authentication as well. The decision to limit HealthVault OpenID authentication to a white list of just two providers has some (like Paul Madsen) hot under the collar.

Interesting times.

OpenID and Phishing

I am probably going to make a lot people mad here, but all this talk of OpenID and Phishing made me think of this demotivator: 

But seriously. The recent Fun OpenID Phishing Demo shows just how troutish the typical OpenID user would if the technology was ever adopted for serious use. With OpenID (as with all SSO technologies) once they have your master login credentials they have access to all your SP accounts. Too many OPs are far too easy to Phish.

Touting the added security of an additional browser plug-ins (especially one that is only available on Firefox) is simply not going to cut it. SPs have to believe that OpenID provides sufficient protection for all their customers assuming a vanilla browser or it won’t be adopted for serious use.

Some sites like Vidoop are more Phishing resistant than others (Vidoop also has a browser plug-in that is available on both Firefox and IE). Also relying on Information Cards to authenticate to the OP provides a high degree of Phishing resistances. But relying on sites to be Phishing resistant would force SPs to a White List approach.

Perhaps OpenID + White Lists + Phishing Resistant OPs would keep Mr. Trout safe and happy.

PAPE is supposed to address this. But trust is all about knowing who you are dealing with. If I don’t know you, how can I trust you will really honor your promise? Likewise how does an SP trust that a previously unheard of OP will honor the promises it makes via PAPE in regards to authentication? 

Why everything you know about the Metric System is wrong and what it means for Identity Systems

Recently as part of my work with Cub Scouts I had to prepare a lesson on the Metric System. That started me thinking about the myths and misconceptions of the Metric System, why it isn’t used in the United States, and what that all means for Identity Systems.

First let me say I am a big fan of the metric system (I have a MS in Aerospace Engineering). And living in the United States, I almost never use it. And those not contradictory statements. The reason that I never use it is that for my day to day life outside of work it simply offers no advantages to me. When studying engineering in college I used the Metric System almost exclusively. However after going into the software industry I haven’t used it professionally since.

Here are some myths and misconceptions:

Myth #1 – The Metric System is a base10 system which is far superior to base 12 systems. The metric system has been adopted world-wide (except for those crazy stuborn Americans) because of the inherent superiority of base10 mathematics in every day use.

BTW, what time is it where you are? What coordinates does your GPS show? How steep is that incline? Have you ever tried to saw a 1 meter board into 6 even pieces?

The point is while base10 is much better for doing calculations with a calculator, base12 is better for some calculations you need to do in your head. That is because 10 is divisible by only 5 and 2, where as 12 is divisible by 2,3,4, and 6.

Myth #2 – You shouldn’t use the English (Customary) System for technical purposes because the conversion between feet and inches and pound and ounces is much harder than converting between meters and kilometers and liters and milliliters.

When doing technical work you don’t ever need to convert between feet and inches. You really every need to convert between meters and kilometers either. Once you are using scientific notation it doesn’t matter. 10,000 feet is 1x10E6 feet and 10,000 meters is 1x10E6 meters. Neither unit system is easier than the other in scientific notation.

Myth #3 – The Metric System is superior because all units are derived and reproducible from the properties of natures. For instance the Celsius 0 and 100 are freezing and boiling point of water. The meter is derived from a Meridian of the Earth.

While the Metric System was once naturally derivable, it was long ago discovered that physical properties that they originally used vary too much to give an accurate definition.  For a while they where defined against physical models (for instance a certain platinum bar was used to define the meter). That was eventually viewed as too risky. Now all units are defined in purely arbitrary, but reproducible terms.

Myth #4 – The stubborn Americans will eventually convert when enough are “educated sufficiently”. It’s only ignorance that keeps the Americans from converting willingly like the rest of the world.

The Metric System originally became accepted only at gun point. The point of Napoleon’s guns to be exact. The real telling point comes from the Wiki entry:

As of 2007 only three countries, the United States, Liberia, and Myanmar (Burma) had not mandated the metric system upon their populace.

Ah, breathe in the Orwellian goodness of that statement. The Metric System is so superior to other forms of measurement it has been mandated on the people by the force of law. All for their own good of course.

The point is while there is a huge advantage to everyone being on the same system of measurement, the choice of Metric versus Customary is purely an arbitrary choice. Since people make these choices based on personally perceived value combined with a natural resistance to change, most will not willingly convert to a new system without being forced to under threat of punishment. Or put simply:

Change is hard. Inches are easy.

What does all of this have to do with Identity Systems? Change is painful. Like measurement systems, people will make do with their current Identity System (mostly user IDs and passwords), because they understand it and it works sufficient for their day-to-day lives.

Yes, it’s a mess. Yes, it’s not very secure. But it works for most people. They understand it. They are comfortable with it. Most will not switch to an alternative like OpenID or CardSpace unless they see real value. Or put simply:

Change is hard. Passwords are easy.

Cartoon Identity Selectors

I was watching my oldest plan Disney Toon Town, which is an MMOG for young kids. If you are a subscriber you get to have up to 6 six different avatars that you can choose from when entering the game world.

It occurs to me that this is really an identity selector. I have a feeling that Cardspace or other identity selectors will be an easy transition for them when they are ready.