The recent article by Randall Stross in the NYT is getting a lot of attention in the identisphere. Kim Cameron writes about it here, Axel Nennker writes about it here, and Dave Kearns writes about it here.
While this is a very good article about the issues involved in OpenID, Information Cards, and Passwords, there are a couple points, good and bad, that I would like to highlight:
I once felt ashamed about failing to follow best practices for password selection – but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.
That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).
I couldn’t agree more. Perhaps no bit of outdated computer advice is more regularly given out than this. Experts continually tell us that to be safe we need overly complex passwords. All this does is force the user into bad security practices.
But there is another side to this that the article doesn’t mention. It doesn’t matter how secure the authentication is if the subsequent web session is not secure. If the session can be hijacked post authentication using cross-site scripting attacks or plain old packet sniffing, the authentication mechanism doesn’t matter.
The author makes some good points about OpenID, but I feel missing the mark with this:
Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.
Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.
I would argue that liability has little to do with it. The big OpenID providers don’t act as relying parties because they are fighting each other to be the dominant identity provider. They see being the identity provider as the key to drive more traffic to their site, which brings more advertising revenue. It’s a land grab pure and simple.
On Information Cards the author does make a point I have made on many occasions in the past, using Self-Issue Cards is really authenticating the computer and not the user:
BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.
“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.
Of course the users can PIN protect their self-issued cards. But history has shown that most wont.