Thursday, January 17, 2008

OpenID is coming so get a Paypal Security Key

OpenID = one logonid + one password to access any site supporting the OpenID standard.

If you have not heard of OpenID start paying attention when you do. OpenID is a open source sign-on standard that has been under development for awhile and now appears to be getting ready for prime time. According to a PCWorld article last week Yahoo is close to announcing support for OpenID. In addition according to TechCrunch UK Google, IBM and VeriSign are in final talks with the OpenID foundation. Microsoft and AOL have also previously committed to support OpenID. Also AOL is already publicly testing OpenID support with there Plaxo product. Add it all up and there should be enough of the big players to push OpenID prime time and thus make OpenID the default sign-on standard.

OpenID = one logonid + one password + PayPal Security Key = Greatly Improved Signon Security

So one id and one password for accessing all your websites what could be better. Well here is where PayPal comes into the picture. PayPal is offering a Security Key for $5 which generates one time passwords (i.e. 6 digit random number). If your in the Corporate world you may already have an equivalent to the PayPal Security Key in your SecurId token (~$40) which many corporations already use for increased signon security. Anyway if you don't understand one time passwords, they are a second password to use in addition to your primary password. These security tokens generate random numbers/passwords which are tied to your logonid and are only good for 30 seconds in the case of PayPal or 60 seconds with SecurId. So what this means is if someone at your favorite Wi-Fi Hotspot shoulder surfs your passwords or some spyware/malware should happen to capture your primary password and your one time password it doesn't matter since you need both passwords and the secondary password generated by the security token is only good for 30 seconds. Currently the only OpenID Provider I have found that supports the PayPal Security Key is VeriSign hopefully other OpenID Providers will join in supporting the low cost PayPal Security Keys. So the VeriSign support for OpenID and the PayPal Security Key is currently in beta but hopefully with OpenID going prime time VeriSign will move the service out of beta quickly and in addition keep providing the service free of charges. VeriSign also offers a couple of other nice features I have not seen with the other OpenID providers, the ability to set expiration dates by website for your access and a access log showing the sites you have accessed with your OpenID signon. VeriSign is also providing a Firefox extension called Seatbelt which provides assistance with the OpenID signon process and some phishing protection.

If your interested in learning more about OpenID here are some additional sites you might want to visit -
OpenID Foundation
Spread OpenID
Lifehacker - One OpenID to Rule Them All...or Not?

Update - earlier today Yahoo officially announced support for OpenID. According to Yahoo beta testing of OpenID will begin on Jan. 30. Also it appears Yahoo will initially only support itself as the OpenID provider, so the PayPal Security Key I previously mentioned will not work unless Yahoo adds that feature or Yahoo in the future supports 3rd party OpenID providers such as VeriSign.


Ray said...

Well that's not good. I mean if every provider like AOL and Yahoo are going to require you to have accounts with their key system then to me that just means. More secure but still the same problem that everyone many accounts. I know they have to come to some type of agreement, but I wish everyone could just agree to go to one system. It would make life some much easier. I wonder if it would be worth it to subscribe to some service like LifeLock and just use your stinking SSN for your login ID+Open ID and go from there. I mean let's face it. Everyone has your SSN already. Just some additional thoughts.

Jim said...

I tend to agree that your SSN is not near as secure as many people hope but I think using your SSN would further impact the privacy concerns OpenID is also raising. Do you really want your OpenID provider to know every site you visit and I think that's the key reason that Yahoo, Google and Microsoft will want to be your OpenID provider that information has huge value.

Anonymous said...

"Other providers" can't support the PayPal tokens. The reason VeriSign is able to is that they're the backend provider for PayPal. If the secret key for a token were known by more than one provider, security takes a nose-dive . . .

Anonymous said...

I believe there is a better alternative - the YubiKey -

It's more convenient and more secure than a 6 digit OTP

It's a bit more expensive ($25), but all the source code is available for free.

There is at least one OpenID provider that supports it (clavid) and Google Apps can use it too.

Grover said...

OpenID is doomed to failure. It's too damned complicated. Will people pay for a security key? Not a chance.

IT Support Van Nuys said...

If you set up your own domain name or know where it is hosted, along with usernames and passwords for access, you can stop reading now. You still might want to do the first step below, just to confirm your domain is yours, but chances are everything is ok.