OpenID - Reforging the Ring into a Chain (aka How to Fix OpenID)
By WillYum. Thursday, 19. March 2009, 23:45:39
[Part 3]
Now, I’ve been harsh on the one-ring, OpenID, but in truth I’m very interested in “unified login”. Really I would like having less passwords and more transparent Internet access. I hate managing passwords (or in my case, like many, mismanaging).
So, what’s the answer?
Instead of a single ring, we need to build a strong chain. Luckily, much of what OpenID has provided could, theoretically be harnessed as I’m about to suggest. Since this article is directed toward the average user, I’m going to use an analogy before diving into my theoretical technical discussion.
Back to that real world scenario, a keycard that unlocks everything. Dangerous, right? Most people would see the inherent danger in having a single key for everything. Really, though, it isn’t the single key, it’s this question, “How do you know you can trust the keyhole?” – That is, if anyone could make a copy of your key very easily, you’d want to make sure you only stuck your key in trusted keyholes.
So, let’s take the danger of a “keyhole” copying your key out of the equation. How do we do that?
Make the keycard worthless until you verify it.
“Huh?” – Seriously, what if your keycard was completely worthless and disabled until you put it into, let’s just say for fun, your cell phone. Let’s say this make-believe cell phone has a simple program that accepts your username and password, verifies it against a central database and then unlocks your keycard.
Then your card would be active until you close the program on your phone or it’s shut off or whatever the software states. Not exactly as easy as just a card would be but way more secure because as soon as you pull it from your phone, the key is rendered useless. So long as you only enter your username and password into your trusted phone, your keycard can’t just be copied easily.
In other words, we cast the one-ring back into the fiery forge and instead build a chain, a strong one.
So, let’s translate this into the online world. What’s the online analogy to this magical cell phone or this stronger chain? Web Browsers.
They are the missing link.
As of now the OpenID system relies on only two parties to verify a safe connection: the user and the webpage. A user can be dupped, a webpage copied.
Any successful unified login system should rely on something more trustworthy and should eliminate the idea of putting a username and password into a web page. It should represent a fundamental shift in user behavior, to assist in providing more inherent security.
This is where a web browser could step in and provide a robust solution. It could maintain your authentication with your OpenID Provider.
You choose your OpenID Provider and whenever a website makes some sort of OpenID request the browser handles the transaction instead of a websites. When you enter your OpenID information, it always sends to the proper domain (your OpenID Provider). Then you train users to only ever enter that OpenID Username and password combination into a web browser when they click that “OpenID Login” button.
Imagine this flow:
Initial Login:
A user opens their preferred browser and begins surfing, they go to check their email and it simply shows the OpenID Logo and says “Use your web browser to log into your email account by clicking the OpenID button” – the browser pops up a native but very counterfeit resistant display. It sends that information to the trusted server, only. There’s no list’s for browsers to maintain here, just use the OpenID protocol (preferably using SSL).
The page reloads after the data submission and… voila!
Encountering a new site:
Now suppose you go to www.SomeNewWebsite.net and they want you to login but they have the OpenID mark. You don’t click anything on the webpage but instead click your OpenID button on the web browser. It pops up that counterfeit resistant display again and asks, “Do you wish to provide www.SomeNewWebsite.net access to your OpenID?”
The browser doesn’t keep track, it simply handles the transactions with the OpenID Provider in a context that makes it clear that it is “out of band” (that term from Mr. Slot).
A note on the “counterfeit resistant login display” – This is obviously an important component to making OpenID Login truly out of band. I would suggest something that dims the entire browser interface and shows only username and password inputs. Better: temporarily minimize the whole window, showing a background you can recognize (your desktop). Whatever it is, some behavior a website can’t duplicate with internal coding.
Obviously, there are still potential pitfalls, a user might accidently download a virus that corrupts their web browser. Browsers might try to become OpenID providers themselves (yuck). Different implementations of a counterfeit resistant login display might be confusing or impractical, or worse, they might be easily mimicked by clever website coding. These are relatively small technical challenges in comparison to the major advantage over the current OpenID implementation: Security and usability.
The other challenge I conveniently skip over is how to have browsers submit OpenID Identifier (very loosely translated: username) to a website displaying the OpenID Logo. I would propose a method whereby hidden input fields are standardized for use in OpenID. Browser developers, however, would probably be best at determining how to handle this.
The advantage of this system, though, is compelling: A unified login system with a forced behavioral change to provide heightened security against relatively easy phishing attacks.
I can explain to someone or anyone (grandma or brother), “Never, ever, ever enter your OpenID username and password into a website. Never do it. Ever.” – That is a rule that is simple. “Only enter it into your browser.” A browser then can set a default OpenID timeout when it automatically logs out. It can clear your OpenID data when you close it. It can prompt you later. You can set your own user preferences.
In other words this is a very simple workflow path that allows users one proper method and if they use the same browser, a similar behavior that will become habitual. Anything else, they can say, “that stinks”.
Now, that is an OpenID protocol I could get onboard with. Assuming you could get Internet Explorer, Safari, Firefox, Android, our dearly beloved Opera, and all the rest to implement a standard.
Comments?
Yum
WillYum is a Internet aficionado and all around security junkie since 1995. This is an overview article on a difficult technical problem presenting one possible solution.
Now, I’ve been harsh on the one-ring, OpenID, but in truth I’m very interested in “unified login”. Really I would like having less passwords and more transparent Internet access. I hate managing passwords (or in my case, like many, mismanaging).
So, what’s the answer?
Instead of a single ring, we need to build a strong chain. Luckily, much of what OpenID has provided could, theoretically be harnessed as I’m about to suggest. Since this article is directed toward the average user, I’m going to use an analogy before diving into my theoretical technical discussion.
Back to that real world scenario, a keycard that unlocks everything. Dangerous, right? Most people would see the inherent danger in having a single key for everything. Really, though, it isn’t the single key, it’s this question, “How do you know you can trust the keyhole?” – That is, if anyone could make a copy of your key very easily, you’d want to make sure you only stuck your key in trusted keyholes.
So, let’s take the danger of a “keyhole” copying your key out of the equation. How do we do that?
Make the keycard worthless until you verify it.
“Huh?” – Seriously, what if your keycard was completely worthless and disabled until you put it into, let’s just say for fun, your cell phone. Let’s say this make-believe cell phone has a simple program that accepts your username and password, verifies it against a central database and then unlocks your keycard.
Then your card would be active until you close the program on your phone or it’s shut off or whatever the software states. Not exactly as easy as just a card would be but way more secure because as soon as you pull it from your phone, the key is rendered useless. So long as you only enter your username and password into your trusted phone, your keycard can’t just be copied easily.
In other words, we cast the one-ring back into the fiery forge and instead build a chain, a strong one.
So, let’s translate this into the online world. What’s the online analogy to this magical cell phone or this stronger chain? Web Browsers.
They are the missing link.
As of now the OpenID system relies on only two parties to verify a safe connection: the user and the webpage. A user can be dupped, a webpage copied.
Any successful unified login system should rely on something more trustworthy and should eliminate the idea of putting a username and password into a web page. It should represent a fundamental shift in user behavior, to assist in providing more inherent security.
This is where a web browser could step in and provide a robust solution. It could maintain your authentication with your OpenID Provider.
You choose your OpenID Provider and whenever a website makes some sort of OpenID request the browser handles the transaction instead of a websites. When you enter your OpenID information, it always sends to the proper domain (your OpenID Provider). Then you train users to only ever enter that OpenID Username and password combination into a web browser when they click that “OpenID Login” button.
Imagine this flow:
Initial Login:
A user opens their preferred browser and begins surfing, they go to check their email and it simply shows the OpenID Logo and says “Use your web browser to log into your email account by clicking the OpenID button” – the browser pops up a native but very counterfeit resistant display. It sends that information to the trusted server, only. There’s no list’s for browsers to maintain here, just use the OpenID protocol (preferably using SSL).
The page reloads after the data submission and… voila!
Encountering a new site:
Now suppose you go to www.SomeNewWebsite.net and they want you to login but they have the OpenID mark. You don’t click anything on the webpage but instead click your OpenID button on the web browser. It pops up that counterfeit resistant display again and asks, “Do you wish to provide www.SomeNewWebsite.net access to your OpenID?”
The browser doesn’t keep track, it simply handles the transactions with the OpenID Provider in a context that makes it clear that it is “out of band” (that term from Mr. Slot).
A note on the “counterfeit resistant login display” – This is obviously an important component to making OpenID Login truly out of band. I would suggest something that dims the entire browser interface and shows only username and password inputs. Better: temporarily minimize the whole window, showing a background you can recognize (your desktop). Whatever it is, some behavior a website can’t duplicate with internal coding.
Obviously, there are still potential pitfalls, a user might accidently download a virus that corrupts their web browser. Browsers might try to become OpenID providers themselves (yuck). Different implementations of a counterfeit resistant login display might be confusing or impractical, or worse, they might be easily mimicked by clever website coding. These are relatively small technical challenges in comparison to the major advantage over the current OpenID implementation: Security and usability.
The other challenge I conveniently skip over is how to have browsers submit OpenID Identifier (very loosely translated: username) to a website displaying the OpenID Logo. I would propose a method whereby hidden input fields are standardized for use in OpenID. Browser developers, however, would probably be best at determining how to handle this.
The advantage of this system, though, is compelling: A unified login system with a forced behavioral change to provide heightened security against relatively easy phishing attacks.
I can explain to someone or anyone (grandma or brother), “Never, ever, ever enter your OpenID username and password into a website. Never do it. Ever.” – That is a rule that is simple. “Only enter it into your browser.” A browser then can set a default OpenID timeout when it automatically logs out. It can clear your OpenID data when you close it. It can prompt you later. You can set your own user preferences.
In other words this is a very simple workflow path that allows users one proper method and if they use the same browser, a similar behavior that will become habitual. Anything else, they can say, “that stinks”.
Now, that is an OpenID protocol I could get onboard with. Assuming you could get Internet Explorer, Safari, Firefox, Android, our dearly beloved Opera, and all the rest to implement a standard.
Comments?
Yum
WillYum is a Internet aficionado and all around security junkie since 1995. This is an overview article on a difficult technical problem presenting one possible solution.
WIDGETIZE
drlaunch # 20. March 2009, 01:21
The website could contain the following tag in the <head> section.
It could also be included inline in the head tag using the <xrds> tag.
The file includes the OpenID protocol information the website usually passes to the OpenID provider, but now it's read by the browser instead.
The browser displays its OpenID interface and takes on the role of handling the OpenID login and the website authentication data. The website sits ready to recieve the OpenID data like before, but this time from the browser itself.
The great thing about this is that none or very few additions are needed to the OpenID protocol. Browser vendors just need to add support for it.
WillYum # 20. March 2009, 01:41
Anonymous # 20. March 2009, 02:32
Interesting thoughts on OpenID. There are a few things that should be mentioned as well.
1. OpenID as you mentioned is an authentication scheme. Which means it just says that you are who you say you are. It's not for authorizing what actions a person has on a web page. I know that authentication and authorization go pretty much hand-in-hand but it should be noted that OpenID is about authentication (See OAuth for authorization ...), so that brings me to point number 2
2. Even though OpenID is a Single-Sign-On system it's not a One-Size-Fits all system. There are clearly some sites that could benefit from OpenID right now despite some flaws which the author has pointed out. These sites are ones that want to know who you are, but aren't protecting very sensitive information. Such as ABC.com asking you to login before you can download the wallpaper of there latest primetime hit show. Or a site that shortens URLs offers some extra tracking on URLs and gives you a grouping of URLs you've shortened because you where logged in when you shortened them. If you're tracking highly sensitive or valuable information OpenID may not be the way to go right now.. but they're working on it (check out Japan... they're buy plane tickets using OpenID attribute exchange with digital signatures... cool stuff)
3. OpenID was envisioned as a Single-Sign-On that any one could set up themselves if they owned a domain name and could write to a file hosted under the domain name. This decentralization is becoming obscured because of the big players entering the scene, but none the less, it gives you ultimate control over a protection scheme that makes you feel comfortable. i.e. you can have additional information required on the server which a phisher couldn't possibly know about...
4. The fear of the Big OpenID Providers tracking your every move is real, but in today's interconnected world an impracticality. If you've ever used Facebook, MySpace, Google, Yahoo or any other site, you've already given a ton of "private" information away. Not to mention using things "offline", such as Credit Cards can be used to invade privacy. The OpenID providers inline with these other large information aggregating companies needs to be regulated and legislated. It's not a problem that would simply, "go away" if OpenID is not used.
One ending note about putting the authorization in the browser may sound more secure, but it may be less secure as well. The reason is, because many times a bug may be introduced in a browser and it may not be upgraded or replaced for a variety of reasons for some time, exposing a threat well past its prime. Case in point Internet Explorer 6 was released in 2001 and has many *known* issues yet still is in wide spread use (8 years later!). But concentrating development efforts of servers and providers could provide the best utility for correcting problems and keeping the system up to date.
OpenID is not prefect, but it's not particularly doomed as well.
Some thoughts from a guy on the XRI-TC committee (whom he doesn't represent with this post)
Nika
Anonymous # 20. March 2009, 03:06
Some Single Sign On thoughts here as well. http://xditao.blogspot.com/2009/03/what-is-sso.html
drlaunch # 20. March 2009, 03:15
WillYum # 20. March 2009, 03:24
I appreciate the feedback. Great points from someone more technically knowledgable. Though that is the caveat, isn't it? For OpenID to be widely adopted, it must be accessible to those who have no technical know-how. That's where the actions of the big OpenID Providers come into play. They set the primary adoption method and implementation.
1) Authorization v. Authentication. Really, in terms of non-financial system, as you acknowledge, it's nearly one-in-the-same. I'd love for it to work for everything but that means strong safeguards.
2) Obviously, no standard will fit the bill for everyone (as you say, one-size-fits-all). Yes, can we get close? I think the beauty of a unified login method is that a wide margin of websites can implement it successfully and a wide swath of average users find it usable. Right now, they get the username/password model. OpenID, in it's raw form, is a bit more difficult to understand, let alone explain in a sentence. And yes, one day I want to be able to buy an airline ticket while logged in.
3) Open authentication even if I want to be the one to claim I'm the one! Heh. Excellent point, I hope we never lose that capability. It's precious. The reality, though, is most will choose the path of least resistance, currently that's your email provider.
4)
As for browsers being buggy. Yes, they have certainly been known to have bugs and more than a few related to security, however, I'd rather fight the bug battle than the easy phishing battle. I've no doubt that phishers will find a way to crack open a browser but that's one more obstacle, as oppossed to the current state of things... no obstacle.
I'm not as assured about OpenID, as you are. After much consideration and my post on how I think it could be done right, I hope it succeeds so I can stop trying to remember my 5 bajillion passwords (and failing). That said, I feel like I'm watching the Titanic about to set sail... and yes, I'd rather she stay at port than go out to open sea without serious safety precautions.
Thank you again.
Yum
drlaunch # 20. March 2009, 12:45
Eddie_Lopez # 27. March 2009, 16:01
Link removed unless you can justify it as being relevant to the topic.