They may soon be, with other ways of authentication and identity protection making their presence felt.
The fact that passwords are not the securest of authentication techniques is well known. Most of us use passwords that are easy to remember, and therefore, easy to crack. Phishing threats and a lot of malware are focused on stealing your online identity—your usernames and passwords.
Security experts think that protecting your online identity is far easier if the ‘human’ element in remembering that identity is minimized. The time, it seems, has come for moving beyond passwords to other authentication techniques that are easier to use and provide adequate protection against identity theft.
Two initiatives here are gaining importance—the OpenID initiative and Information Cards. Some experts state that both can work in tandem, while others are of the opinion that they represent two distinct approaches to authentication.
OpenID
OpenID satisfies the condition of being easy to use. It involves creating a single ID for a user, which can be used to log on to different sites. Thus, you can use the same ID, for instance, for your email account, blog site, and social networking site. Several service providers, such as Microsoft, AOL, Yahoo, Google, IBM, MySpace and others, support OpenID logins. This means that if you use any of their services, you already have an OpenID.
OpenID works as follows. The OpenID identity provider (OP) is the entity that provides you with an OpenID, in the form of a URL. Services like AOL, Yahoo, or Google enable you to use your account details as your OpenID. Independent providers like myOpenID (http://www.myopenid.com/) and myID.net (http://www.myid.net/) also provide a similar service. Other OPs, such as VeriSign provide an OpenID along with stronger authentication than passwords, such as security tokens.
When you go to a site that supports OpenID logins (you can make that out from the OpenID logo near the login form), you can use your OpenID instead of creating a fresh username and password. However, not all sites support OpenIDs from all OPs. You may, therefore, require a set of OpenIDs, each of which works on a group of websites.
The advantage with OpenID, of course, is that it is less time-consuming than registering yourself with each site you visit, and creating a username or password each time. It also saves you the trouble of remembering so many passwords. The loophole is that if your OpenID is stolen, it would give access to that much more confidential data about you. And OpenID is as vulnerable to phishing attacks as the passwords themselves.
However, OpenID is in its nascent stages yet, and a lot of development is still going on. Further development could result in a scenario where a few trusted OPs generate OpenIDs with stronger authentication mechanisms than passwords, and websites support OpenIDs from one or more of such OPs. That stage, if it comes about, is definitely some years away.
Information Cards
Information Cards, supported by the Information Card Foundation (ICF), rely on cryptography for authentication and do away with usernames and passwords altogether. There has been a lot of conceptual development and discussion about information cards, and practical applications have now begun.
An identity provider would issue you an Information Card, which would reside on your PC as a desktop icon. To authenticate yourself to a site, you will need to click the desktop icon. This works as a digital identity for you; your authentication works by exchanging cryptographic information with the site that would need to support Information Cards. It is possible to envisage a set of Information Cards, each of which can be used for authentication on several websites.
The advantage here is that in a single stroke, authentication moves beyond usernames and passwords, thus negating any threats of password theft. You also don’t need to remember anything, so that the days of not being able to login because you’ve forgotten your password can be left behind. Since authentication is based on encryption, it is difficult to hack.
On the other hand, this system could take years to be implemented, because websites have to begin to use it instead of the current login process. Also, the process of generating encryption keys for creating Information Cards will be carried out by computers; and many computers today don’t have the requisite software to do this on a large scale.
Moreover, one issue with the Information Card is that since the information is stored on your desktop, you will not be able to authenticate yourself from any other machine. Remote logins to certain websites will not be possible, unless you store your Information Card on every machine that you use, which, again, undermines security.
Some security experts also suggest that Information Cards should be used for authentication along with OpenIDs. Since both authentication technologies are fairly new and still under development; the future of their adoption and implementation is quite fluid. In the near future, it seems, a strong, tough-to-crack password is the best bet.
Subscribe to:
Post Comments (Atom)
2 comments:
www.MyOpenID.com does integrate OpenID with Infocard as well as CallVerifID out-of-band, phone-based multi-factor authentication. Also, for anyone looking to deploy OpenID on your websites, there are open source libraries at www.openidenabled.com or a free hosted service at http://rpxnow.com.
Contrary to the above report, information cards are not necessariliy stored on your local machine. The Azigo information card selector is a rich-client that provides information card functionality, but with the cards themselves stored at a web service, making your cards portable.
Post a Comment