notbrainsurgery ([info]notbrainsurgery) wrote,
@ 2007-12-06 18:40:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Entry tags:openid, paypal, rsa, securid

OpenID, SecurdID
Looks like OpenID is finally becoming popular (can't wait for blogger to enable it). If you want ot have secure OpenID, protected by RSA SecurID hardware token, here is how to get one for just $5 (requires PayPal account).

Speaking about PayPal and SecurID: why on the earth they do not allow to use one token with multiple accounts? I happen to have two (personal and business) and I hate the idea of carrying two tokens.


(Post a new comment)

RSA's Go ID Authentication Service
[info]vinmclellan
2007-12-07 05:56 am UTC (link)

It won't help you with PayPal -- which has a different two-factor authentication (2FA) provider -- but RSA, now the security division of EMC, offers a network-based authentication service, Go ID, which does allow you to use the same SecurID (or a Go ID Toolbar, a browser-based token-emulation application)to access multiple accounts on systems hosted by different corporations, agencies, or organizations. Check out the Go ID solution brief, white papers, data sheets, and case studies at: http://www.rsa.com/node.aspx?id=3019.



Of course, for good or ill, these trust relationships are handled by the enterprises which provide you with the accounts, so this option is only available to a consumer or employee when you chose financial service providers (or employers!) who subscribe to RSA's Go ID service.



RSA makes this more attractive to banks and other financial service providers than it has been in the past, however, since they designed the Go ID Network to offer all the benefits of 2FA without forcing your providers to trust each other, at all -- or even RSA, very much.



With the Go ID Service, each local account provider maintains complete control over your account information, and each individually validates their own site-specific password each time you access your account at their Internet portal. They rely upon the RSA network connection only to validate the second authenticator, the SecurID's 60-second token-code: proof of physical access to the token. RSA, in turn, attests only to the fact that a specific token-code is valid: is, in fact, the token-code that should be generated by a SecurID, with a specific serial number, at this instant. RSA doesn't even know your name; it only knows the name of the institution which originally purchased that SecurID.



Multiple institutions, if they subscribe to the Go ID service, can all take advantage of the strong 2FA provided by a SecurID token (or Toolbar) issued by any one of them -- while maintaining complete control over its customer and account information. I'm biased, as I've been a consultant to RSA for many years, but as you put it, why on earth not simplify life? We need more than simple passwords in several places, and one-time passwords from tokens are a strong authentication option already in widespread use. One SecurID (or even several tokens) can access one account. One SecurID can access different accounts at multiple service providers. Nirvana, huh? No bulging pockets. No necklace of blinking tokens, unless you really really want one.



_Vin

(Reply to this)(Thread)
Re: RSA's Go ID Authentication Service
[info]notbrainsurgery
2008-01-13 04:16 am UTC (link)
I wonder if GO ID provides Open ID similar to VeriSign Labs' Personal Identity Provider.


(Reply to this)(Parent)(Thread)
Re: RSA's Go ID Authentication Service
(Anonymous)
2008-01-18 05:18 am UTC (link)
Query: "I wonder if GO ID provides Open ID similar to VeriSign Labs'Personal Identity Provider."

No, it does not. These are very different critters. (VeriSign, you'll note, makes no attempt to establish a bridge between its OpenID PIP credential, offered in a free service, and the various high-assurance credential systems for individuals it sells in its commercial businesses.)

RSA's various SecurID and digital certificate systems, including Go ID, are trust-laden high-assurance personal authentication systems: armored with secure protocols, and anchored in the care with which its enterprise customers validate the identity of an individual before a token or a smartcard is issued to him or her.

OpenID, by contrast, today provides a relying party with some light assurance that Visitor X is probably the same Visitor X who accessed this account with the same OpenID credential, some time earlier. OpenID is useful, doubtless, particularly in the Web's sprawling open ecosystems -- but it is quite a different class of credential than those offered by RSA's SecurID or similar strong authentication systems.

OpenID skipped all the heavy XML/WS-*/SOAP stuff in CardSpace, and because it does not rely on a PKI like SOAP does, it is light, flexible, and usable on an Internet-wide scale. The drawback to this scheme -- putting aside quibbles about the integrity of the evolving OpenID protocol -- is the fact that the level of assurance is so low: essentially, you know that it's probably the same user returning to reclaim access to the same account, but not much else.

I wouldn't be surprised to see strong authentication systems used as pre-authentication for identity metasystems like CardSpace and OpenID sometime soon -- but it's not yet clear how useful that will be. Trust doesn't always transfer (and seldom does it do so easily) in distributed systems.

The security and integrity model for the OpenID protocol is, of course, still under construction -- and where it will go, and what attributes it's credentials might eventually carry, is still uncertain. Today, there is no guarantee that OpenID will even be able to provide its relying parties with a clear indication of what type of identity verification was involved in the original issuance of a given OpenID credential.

Suerte,
_Vin

(Reply to this)(Parent)(Thread)
Re: RSA's Go ID Authentication Service
(Anonymous)
2008-03-11 05:32 am UTC (link)
Boy this is biased. OpenID provides a lot higher level of security than you seem to suggest. The facts are that OpenID provides a very reasonable level of security, and supports two-factor security via services like VeriSign, and certificate-based authentication via services such as myopenid.

(Reply to this)(Parent)
Multi-factor Authentication
[info]http://openid.trustbearer.com/steve
2008-02-13 04:09 pm UTC (link)
The team I work with is developing a beta implementation of strong,
multi-factor authentication for OpenID that allow you to use many different devices,
TrustBearer OpenID (http://openid.trustbearer.com).

We've been concentrating on simple user experience at this point,
and we are interested to learn what sort of features user will look
for in this type of implementation.

With our implementation, you just set-up a strong authentication device
and then link the device to your OpenID URL.

(Reply to this)(Parent)(Thread)
Re: Multi-factor Authentication
(Anonymous)
2008-02-14 03:15 am UTC (link)
This doesn't support those OTP tokens yet. Not that that's an issue, since OTP users can use VeriSign, and PKI users can use TrustBearer.

(Reply to this)(Parent)(Thread)
Re: Multi-factor Authentication
[info]http://openid.trustbearer.com/steve
2008-02-15 06:14 pm UTC (link)
Right, we may look at supporting one-time-passwords, but a this point we concentrate mostly at smart-card-type devices and devices that use biometrics, these include the cards that more government employees use.

We are especially fond of smaller USB tokens, because they work plug-n-play- not that entering a OTP is a too huge of a hassle.

(Reply to this)(Parent)

(Anonymous)
2007-12-20 11:05 pm UTC (link)
hey, does the tracker relaly work?

(Reply to this)

(Anonymous)
2008-02-26 12:40 pm UTC (link)
Paypal is not using the Secure ID token. For better or worse, they are using a token designed by the folks @ Verisign.

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…