My OperaOpenID - Reforging the Ring into a Chain (aka How to Fix OpenID)
By WillYum. Thursday, March 19, 2009 11:45:39 PM
[Part 3]
Now, I’ve been harsh on the one-ring, OpenID, but in truth I’m very interested in “unified login”. Really I would like having less passwords and more transparent Internet access. I hate managing passwords (or in my case, like many, mismanaging).
So, what’s the answer?
Instead of a single ring, we need to build a strong chain. Luckily, much of what OpenID has provided could, theoretically be harnessed as I’m about to suggest. Since this article is directed toward the average user, I’m going to use an analogy before diving into my theoretical technical discussion.
Back to that real world scenario, a keycard that unlocks everything. Dangerous, right? Most people would see the inherent danger in having a single key for everything. Really, though, it isn’t the single key, it’s this question, “How do you know you can trust the keyhole?” – That is, if anyone could make a copy of your key very easily, you’d want to make sure you only stuck your key in trusted keyholes.
So, let’s take the danger of a “keyhole” copying your key out of the equation. How do we do that?
Make the keycard worthless until you verify it.
“Huh?” – Seriously, what if your keycard was completely worthless and disabled until you put it into, let’s just say for fun, your cell phone. Let’s say this make-believe cell phone has a simple program that accepts your username and password, verifies it against a central database and then unlocks your keycard.
Then your card would be active until you close the program on your phone or it’s shut off or whatever the software states. Not exactly as easy as just a card would be but way more secure because as soon as you pull it from your phone, the key is rendered useless. So long as you only enter your username and password into your trusted phone, your keycard can’t just be copied easily.
In other words, we cast the one-ring back into the fiery forge and instead build a chain, a strong one.
So, let’s translate this into the online world. What’s the online analogy to this magical cell phone or this stronger chain? Web Browsers.
They are the missing link.
As of now the OpenID system relies on only two parties to verify a safe connection: the user and the webpage. A user can be dupped, a webpage copied.
Any successful unified login system should rely on something more trustworthy and should eliminate the idea of putting a username and password into a web page. It should represent a fundamental shift in user behavior, to assist in providing more inherent security.
This is where a web browser could step in and provide a robust solution. It could maintain your authentication with your OpenID Provider.
You choose your OpenID Provider and whenever a website makes some sort of OpenID request the browser handles the transaction instead of a websites. When you enter your OpenID information, it always sends to the proper domain (your OpenID Provider). Then you train users to only ever enter that OpenID Username and password combination into a web browser when they click that “OpenID Login” button.
Imagine this flow:
Initial Login:
A user opens their preferred browser and begins surfing, they go to check their email and it simply shows the OpenID Logo and says “Use your web browser to log into your email account by clicking the OpenID button” – the browser pops up a native but very counterfeit resistant display. It sends that information to the trusted server, only. There’s no list’s for browsers to maintain here, just use the OpenID protocol (preferably using SSL).
The page reloads after the data submission and… voila!
Encountering a new site:
Now suppose you go to www.SomeNewWebsite.net and they want you to login but they have the OpenID mark. You don’t click anything on the webpage but instead click your OpenID button on the web browser. It pops up that counterfeit resistant display again and asks, “Do you wish to provide www.SomeNewWebsite.net access to your OpenID?”
The browser doesn’t keep track, it simply handles the transactions with the OpenID Provider in a context that makes it clear that it is “out of band” (that term from Mr. Slot).
A note on the “counterfeit resistant login display” – This is obviously an important component to making OpenID Login truly out of band. I would suggest something that dims the entire browser interface and shows only username and password inputs. Better: temporarily minimize the whole window, showing a background you can recognize (your desktop). Whatever it is, some behavior a website can’t duplicate with internal coding.
Obviously, there are still potential pitfalls, a user might accidently download a virus that corrupts their web browser. Browsers might try to become OpenID providers themselves (yuck). Different implementations of a counterfeit resistant login display might be confusing or impractical, or worse, they might be easily mimicked by clever website coding. These are relatively small technical challenges in comparison to the major advantage over the current OpenID implementation: Security and usability.
The other challenge I conveniently skip over is how to have browsers submit OpenID Identifier (very loosely translated: username) to a website displaying the OpenID Logo. I would propose a method whereby hidden input fields are standardized for use in OpenID. Browser developers, however, would probably be best at determining how to handle this.
The advantage of this system, though, is compelling: A unified login system with a forced behavioral change to provide heightened security against relatively easy phishing attacks.
I can explain to someone or anyone (grandma or brother), “Never, ever, ever enter your OpenID username and password into a website. Never do it. Ever.” – That is a rule that is simple. “Only enter it into your browser.” A browser then can set a default OpenID timeout when it automatically logs out. It can clear your OpenID data when you close it. It can prompt you later. You can set your own user preferences.
In other words this is a very simple workflow path that allows users one proper method and if they use the same browser, a similar behavior that will become habitual. Anything else, they can say, “that stinks”.
Now, that is an OpenID protocol I could get onboard with. Assuming you could get Internet Explorer, Safari, Firefox, Android, our dearly beloved Opera, and all the rest to implement a standard.
Comments?
Yum
WillYum is a Internet aficionado and all around security junkie since 1995. This is an overview article on a difficult technical problem presenting one possible solution.
Now, I’ve been harsh on the one-ring, OpenID, but in truth I’m very interested in “unified login”. Really I would like having less passwords and more transparent Internet access. I hate managing passwords (or in my case, like many, mismanaging).
So, what’s the answer?
Instead of a single ring, we need to build a strong chain. Luckily, much of what OpenID has provided could, theoretically be harnessed as I’m about to suggest. Since this article is directed toward the average user, I’m going to use an analogy before diving into my theoretical technical discussion.
Back to that real world scenario, a keycard that unlocks everything. Dangerous, right? Most people would see the inherent danger in having a single key for everything. Really, though, it isn’t the single key, it’s this question, “How do you know you can trust the keyhole?” – That is, if anyone could make a copy of your key very easily, you’d want to make sure you only stuck your key in trusted keyholes.
So, let’s take the danger of a “keyhole” copying your key out of the equation. How do we do that?
Make the keycard worthless until you verify it.
“Huh?” – Seriously, what if your keycard was completely worthless and disabled until you put it into, let’s just say for fun, your cell phone. Let’s say this make-believe cell phone has a simple program that accepts your username and password, verifies it against a central database and then unlocks your keycard.
Then your card would be active until you close the program on your phone or it’s shut off or whatever the software states. Not exactly as easy as just a card would be but way more secure because as soon as you pull it from your phone, the key is rendered useless. So long as you only enter your username and password into your trusted phone, your keycard can’t just be copied easily.
In other words, we cast the one-ring back into the fiery forge and instead build a chain, a strong one.
So, let’s translate this into the online world. What’s the online analogy to this magical cell phone or this stronger chain? Web Browsers.
They are the missing link.
As of now the OpenID system relies on only two parties to verify a safe connection: the user and the webpage. A user can be dupped, a webpage copied.
Any successful unified login system should rely on something more trustworthy and should eliminate the idea of putting a username and password into a web page. It should represent a fundamental shift in user behavior, to assist in providing more inherent security.
This is where a web browser could step in and provide a robust solution. It could maintain your authentication with your OpenID Provider.
You choose your OpenID Provider and whenever a website makes some sort of OpenID request the browser handles the transaction instead of a websites. When you enter your OpenID information, it always sends to the proper domain (your OpenID Provider). Then you train users to only ever enter that OpenID Username and password combination into a web browser when they click that “OpenID Login” button.
Imagine this flow:
Initial Login:
A user opens their preferred browser and begins surfing, they go to check their email and it simply shows the OpenID Logo and says “Use your web browser to log into your email account by clicking the OpenID button” – the browser pops up a native but very counterfeit resistant display. It sends that information to the trusted server, only. There’s no list’s for browsers to maintain here, just use the OpenID protocol (preferably using SSL).
The page reloads after the data submission and… voila!
Encountering a new site:
Now suppose you go to www.SomeNewWebsite.net and they want you to login but they have the OpenID mark. You don’t click anything on the webpage but instead click your OpenID button on the web browser. It pops up that counterfeit resistant display again and asks, “Do you wish to provide www.SomeNewWebsite.net access to your OpenID?”
The browser doesn’t keep track, it simply handles the transactions with the OpenID Provider in a context that makes it clear that it is “out of band” (that term from Mr. Slot).
A note on the “counterfeit resistant login display” – This is obviously an important component to making OpenID Login truly out of band. I would suggest something that dims the entire browser interface and shows only username and password inputs. Better: temporarily minimize the whole window, showing a background you can recognize (your desktop). Whatever it is, some behavior a website can’t duplicate with internal coding.
Obviously, there are still potential pitfalls, a user might accidently download a virus that corrupts their web browser. Browsers might try to become OpenID providers themselves (yuck). Different implementations of a counterfeit resistant login display might be confusing or impractical, or worse, they might be easily mimicked by clever website coding. These are relatively small technical challenges in comparison to the major advantage over the current OpenID implementation: Security and usability.
The other challenge I conveniently skip over is how to have browsers submit OpenID Identifier (very loosely translated: username) to a website displaying the OpenID Logo. I would propose a method whereby hidden input fields are standardized for use in OpenID. Browser developers, however, would probably be best at determining how to handle this.
The advantage of this system, though, is compelling: A unified login system with a forced behavioral change to provide heightened security against relatively easy phishing attacks.
I can explain to someone or anyone (grandma or brother), “Never, ever, ever enter your OpenID username and password into a website. Never do it. Ever.” – That is a rule that is simple. “Only enter it into your browser.” A browser then can set a default OpenID timeout when it automatically logs out. It can clear your OpenID data when you close it. It can prompt you later. You can set your own user preferences.
In other words this is a very simple workflow path that allows users one proper method and if they use the same browser, a similar behavior that will become habitual. Anything else, they can say, “that stinks”.
Now, that is an OpenID protocol I could get onboard with. Assuming you could get Internet Explorer, Safari, Firefox, Android, our dearly beloved Opera, and all the rest to implement a standard.
Comments?
Yum
WillYum is a Internet aficionado and all around security junkie since 1995. This is an overview article on a difficult technical problem presenting one possible solution.
Knut Remi "DrLaunch" Løvlidrlaunch # Friday, March 20, 2009 1:21:19 AM
The website could contain the following tag in the <head> section.
It could also be included inline in the head tag using the <xrds> tag.
The file includes the OpenID protocol information the website usually passes to the OpenID provider, but now it's read by the browser instead.
The browser displays its OpenID interface and takes on the role of handling the OpenID login and the website authentication data. The website sits ready to recieve the OpenID data like before, but this time from the browser itself.
The great thing about this is that none or very few additions are needed to the OpenID protocol. Browser vendors just need to add support for it.
WillYum # Friday, March 20, 2009 1:41:54 AM
Anonymous # Friday, March 20, 2009 2:32:59 AM
Anonymous # Friday, March 20, 2009 3:06:41 AM
Knut Remi "DrLaunch" Løvlidrlaunch # Friday, March 20, 2009 3:15:10 AM
WillYum # Friday, March 20, 2009 3:24:46 AM
I appreciate the feedback. Great points from someone more technically knowledgable. Though that is the caveat, isn't it? For OpenID to be widely adopted, it must be accessible to those who have no technical know-how. That's where the actions of the big OpenID Providers come into play. They set the primary adoption method and implementation.
1) Authorization v. Authentication. Really, in terms of non-financial system, as you acknowledge, it's nearly one-in-the-same. I'd love for it to work for everything but that means strong safeguards.
2) Obviously, no standard will fit the bill for everyone (as you say, one-size-fits-all). Yes, can we get close? I think the beauty of a unified login method is that a wide margin of websites can implement it successfully and a wide swath of average users find it usable. Right now, they get the username/password model. OpenID, in it's raw form, is a bit more difficult to understand, let alone explain in a sentence. And yes, one day I want to be able to buy an airline ticket while logged in.
3) Open authentication even if I want to be the one to claim I'm the one! Heh. Excellent point, I hope we never lose that capability. It's precious. The reality, though, is most will choose the path of least resistance, currently that's your email provider.
4)
As for browsers being buggy. Yes, they have certainly been known to have bugs and more than a few related to security, however, I'd rather fight the bug battle than the easy phishing battle. I've no doubt that phishers will find a way to crack open a browser but that's one more obstacle, as oppossed to the current state of things... no obstacle.
I'm not as assured about OpenID, as you are. After much consideration and my post on how I think it could be done right, I hope it succeeds so I can stop trying to remember my 5 bajillion passwords (and failing). That said, I feel like I'm watching the Titanic about to set sail... and yes, I'd rather she stay at port than go out to open sea without serious safety precautions.
Thank you again.
Yum
Knut Remi "DrLaunch" Løvlidrlaunch # Friday, March 20, 2009 12:45:30 PM
Eddie LopezEddie_Lopez # Friday, March 27, 2009 4:01:37 PM
Link removed unless you can justify it as being relevant to the topic.