Tag Archives: Cardspace

A good question indeed

Mark Dixon responds to this Dave Kearns article comparing passwords to buggy whips by posing a very good question:

The big question is, “Replace username/password with what?”

I personally like the use of secure certificates, as illustrated in Henry Story’s use of certificates in his demonstration iPhone app I blogged about recently.  However, the mechanism for distributing, installing and managing such credentials for ordinary computer users seems like a daunting task.  I also personally like the Information Card concept, at least for the conceptual metaphor it uses.  But that isn’t a raging success and this technique is certainly burdened by its own challenges.

This is a question that is not asked enough, much less sufficiently answered. All of the competing approaches suffer from drawbacks that make them less acceptable in many cases.

Like Mark I also think highly of certificates as the solution. But there are significant lifecycle deployment issues that are too daunting for most users. There is also another issue that does not get enough attention, physical security. When using a certificate you are really dependent on the physical security of the container holding the private key. If it’s a smart phone in your possession, great. If it’s a laptop in your possession, also great. If it’s a beige box sitting unsecured in your cubicle while you are at lunch, not so great.

Information Cards are a good solution, but also suffer from the same physical security issues. Of course the card can be PIN protected, but a PIN is really just another password (albeit a local one) and now you get into some of the same issues as with passwords, for example the PIN for less frequently used cards written on a yellow stick attached to the monitor.

Biometrics is a hot area of research now. It seems every week some new breakthrough in earlobe recognition or some other phrenological magic is announced. But as of yet there are just too many problems with biometrics to displace passwords.

If cost is no issue OTP devices are a great way to go. But cost is always an issue.

Password authentication is like an impressionistic painting. The farther you move away from it, the better it starts to look.

Advertisements

Microsoft and SAML 2.0

According to Don Schmidt Microsoft is finally going to support SAML 2.0:

At the Professional Developers Conference this week Microsoft is announcing the beta release of “Geneva”, the codename for its new claims based access platform.  This platform helps developers and IT professionals simplify user access to applications and other systems with an open claims-based model.  “Geneva” helps developers to externalize user authentication and identity processing from application code by using claims that are obtained with pre-built security logic that is integrated with .NET tools.  “Geneva” helps IT professionals to efficiently deploy and manage new applications by reducing user account management, promoting a consistent security model, and facilitating seamless collaboration across departmental, organizational and vendor boundaries.  User access benefits include shortened provisioning lead times, reduced accounts, passwords and logins, and enhanced privacy support.  “Geneva” implements the Identity Metasystem vision for open and interoperable identity, and includes built-in support for standard federated identity protocols.

A fundamental goal of “Geneva” is to extend the reach of its predecessor, Active Directory Federation Services, and provide a common identity programming model for developers of both web applications and web services.  To maximize interoperability with clients and servers from other vendors, it supports the WS-Trust, WS-Federation and SAML 2.0 protocols.  To maximize administrative efficiency “Geneva” automates federation trust configuration and management using the new harmonized federation metadata format (based on SAML 2.0 metadata) that was recently adopted by the WSFED TC.

This is very interesting. It looks like in the Geneva release what was ADFS will now support SAML 2.0 along with WS-Federation. It also looks like Cardspace, Zermatt, and ADFS are going to be combined into a single “platform”.

Interesting times.

It is the life cycle that matters

Phil Hunt of Oracle makes a very good point about OpenID, Information Cards, and Passwords:

It all sounds wonderful. But Kim skips over the problem of how did he get that card? How was he originally authenticated when the card was issued?

Is the information card periodically refreshed or re-authenticated? If it lasts forever, what happens if the information is lost or copied? What happens if someone else is using his workstation? What happens when the Kim switches workstations? For example, Kim decides to check his CNNPolitics profile from a friend’s house? He’ll likely have obtain a new card. I suspect that will involve some form of authentication with his managed card provider. It is clear, while InfoCards may reduce the need for authentication and passwords it does not eliminate them.

Like Phil, I am also a big fan of Information Cards. OpenID, not so much. I would like to see something reduce the reliance on passwords regardless which technology ultimately gets adopted. But currently I don’t see either technology reducing the use of passwords for authentication for anything other than throw away use, like authentication to leave a comment on a blog.

The way provider support the entire life-cycle of the identity seems to always involve passwords at some point, regardless of support for OpenID, Information Cards, or even for that matter, SAML.

OpenID, Information Cards, and Passwords

The recent article by Randall Stross in the NYT is getting a lot of attention in the identisphere. Kim Cameron writes about it here, Axel Nennker writes about it here, and Dave Kearns writes about it here.

While this is a very good article about the issues involved in OpenID, Information Cards, and Passwords, there are a couple points, good and bad, that I would like to highlight:

I once felt ashamed about failing to follow best practices for password selection – but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.

That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).

I couldn’t agree more. Perhaps no bit of outdated computer advice is more regularly given out than this. Experts continually tell us that to be safe we need overly complex passwords. All this does is force the user into bad security practices.

But there is another side to this that the article doesn’t mention. It doesn’t matter how secure the authentication is if the subsequent web session is not secure. If the session can be hijacked post authentication using cross-site scripting attacks or plain old packet sniffing, the authentication mechanism doesn’t matter.

The author makes some good points about OpenID, but I feel missing the mark with this:

Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.

Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.

I would argue that liability has little to do with it. The big OpenID providers don’t act as relying parties because they are fighting each other to be the dominant identity provider. They see being the identity provider as the key to drive more traffic to their site, which brings more advertising revenue. It’s a land grab pure and simple.

On Information Cards the author does make a point I have made on many occasions in the past, using Self-Issue Cards is really authenticating the computer and not the user:

BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.

“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.

Of course the users can PIN protect their self-issued cards. But history has shown that most wont.

Problem between keyboard and seat

Axel Nennker points out that the supposed “Cardspace Hack” is still floating around the old media. He allows the issue is not really a Cardspace security hole, but a problem between the keyboards and seats at Ruhr University Bochum:

A while ago two students, Xuan Chen and Christoph Löhr, from Ruhr University Bochum claimed to have “broken” CardSpace. There were some blog reactions to this claim. The authoritative one of course is from Kim.

Today I browsed through a magazine lying on the desk of a colleague of mine. This magazine with the promising title “IT-Security” repeats the false claim and reports that the students proved that CardSpace has severe security flaws… Well, when you switch off all security mechanism then, yes, there are security flaws (The security researcher in front of the computer).

Sort of what developers like me call an ID10T error.

Update: speaking of ID10T errors, I originally mistyped Axel’s name as Alex. My apologies.

Age verification information cards

Mike Jones has this interesting post about an age verification service based on information cards from Idology. Although not yet available for use, this service does look intriguing.

Interesting times in InfoCard land

Burton Catalyst is going on this week and as usual there are more identity happenings that a poor blogger like me can keep up with. Unfortunately I am not attending this year which makes it even harder to keep up (this first one I have missed in a while).

One big news item was the announcement of the Information Card Foundation. You can read about it here, here, here, here, and here.

Another big item was the announcement about Microsoft HealthVault supporting not only Information Card authentication, but OpenID authentication as well. The decision to limit HealthVault OpenID authentication to a white list of just two providers has some (like Paul Madsen) hot under the collar.

Interesting times.