Identity 2.0 Security

Looking forward to you joining the conversation! The more security related analysis we have of Identity 2.0 at this point, the better it will be.

happy to hear that :)

This is the same as OpenID if I am not mistaken? If so, Single Signon is a terrible idea. You can't make life easier on the net. It's contradicting security. Sure it will happen, it already has. But it scares me.

Ronald, OpenID is not that bad idea. However, it will take some time for the majority of users to learn how to use it effectively and moreover securely. This is the main concern with OpenID, but otherwise it will be one of the best things that have happened to the Web.

No I have to disagree, it's like saying: buy this lock, it's safer. I think it's a sad fact that security just doesn't exist. It's a myth, and a bad nightmare. In the end that user will step into a snare one way or the other. Almost no one pays attention what those fools at Google are doing. They already have a single sign on, and anyone with too much free time, already knows that I can access any Google service of a user if he happens to visit my CSRF Iframe and happens to be logged in only one of them. I discovered that GMail, Adsense, Adwords, Analytics are still vulnerable to a critical degree. One cookie to rule them all, now that's a great idea. And yeah, teaching the user might be the biggest hurdle. Phishing will never stop because of the fact that you have to think like a conman in order not to be conned. Hence, that's why people still fall for those Nigerian money letter fools.

Ronald, no you are absolutely right, but single sign on mechanisms solve a huge problem. With the advances in Web2.0 technology it makes no sense to register for each service out there. It is ridiculous. Imagine that you have to type separate username/password for every application you use on your desktop. So yes, although identity centric system can be hacked, and I doubt that we ever going to find the right balance, there are a lot better then what we have at the moment, which is a total chaos.

Yeah, I always wonder what we try to solve here. OpenID only solves the strain of memorizing multiple passwords. But it doesn't solve a security issue, it might even weaken it. What if the sysadmin of OpenID has a password like this: qwerty123. Okay maybe not, but maybe he has it stored inside his GMail account, or uses the same pass for a forum.

sure, you are right. But when we use OpenID then we can afford to secure it as much as possible. I don't mind using keyfobs in this case. Two factor authentication with one-time password is considered pretty secure authentication mechanism. However, without OpenID we cannot even start thinking using this for every site out there. It makes no sense. What I would like to suggest is the following: Let's stick to OpenID but we need to add some enhancements to the browser. For example, the browse detects when we use OpenID for the sites we visit and automatically forces HTTPS. If HTTPS is not available then it just gives up with 404 message or whatever. Now, this won't prevent XSS or CSRF but it is a good start. Put the one-time password thing on the top and we have a system that scales well and it is a lot more secure then what we have today.

Yes that is true. In the end the internet was never designed to perform the stuff everyone demands. Even authentication and identification schemes were only designed for accessing certain restricted areas on a server. So basically we try to let this oldsmobile (the net) perform a F1 Grand prix. And I figured we need to build a new racecar. Or quit joining a grand prix and go back to plain text.

yes, but plain text is not cool so we are stuck with the oldsmobile. :) maybe we can compete on F1 Grand prix but let's make it at least convertible.

haha yes you beat me there. ^^