Cryptosmith

It’s no surprise that someone managed to reset Sarah Palin’s password on a freebie e-mail account.  She’s a public figure and the answers to her so-called “security questions” are on the public record. It’s one thing to do personal and political e-mail on a Yahoo account but it’s DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.

Large scale vendors like Yahoo and Google can’t help but do a bad job at authentication. This is why OpenID poses such promise - it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones.

Because of lax password resetting, it’s IMPOSSIBLE to keep most free e-mail accounts secure. Vendors like Yahoo can’t afford to personalize authentication very much, or put much effort into authenticating people who ask for a password reset. They make things easy because they need to keep thing cheap.

Ironically, most of these free e-mail vendors offer OpenID authentication based on these unsecured personal IDs. These vendors don’t actually support OpenID authentication, so you’re stuck with their insecure authentication. If Yahoo actually accepted OpenID for authentication, then the users could log in to Yahoo e-mail with strong authentication.

Strong authentication relies on more than a memorized password that can be sniffed or phished. For example, Yahoo users could go to a vendor like Verisign’s PIP, which offers token-based authentication at $5 a pop (buy the “Paypal” token). MyOpenID also supports a process called “CallVerifID” that uses your cell phone as part of the authentication process.

Tokens don’t eliminate the problem of lost authentication credentials: you can, of course, lose the token. But they make the authentication stronger, and that’s worth doing if you are relying on it to protect a lot of material. Moreover, you’re less likely to lose authentication credentials that you use all the time.

I really believe the password resetting problem will be dramatically reduced if we can focus on memorizing a much smaller number of passwords.

Obviously, not all OpenID providers offer secure authentication -after all, Yahoo and Google are themselves OpenID providers. But OpenID gives you a choice - you aren’t stuck with bad authentication.

Posted under Information Security |