LuxSci FYI

Now that LuxSci supports OpenID as an option for logging into WebMail, it raises the questions:  “Just how secure is OpenID?” and “Does this new technology allow for more secure logins?”  In short, the security of OpenID can vary from very poor to extremely iron-clad. OpenID does allow you to make your logins to WebMail “bullet-proof”, if you set things up appropriately.

How does an OpenID login work?

First, let’s see how using an OpenID works in terms of logging into your LuxSci WebMail account.

First, you login to LuxSci’s WebMail using your LuxSci username and password.  You then proceed to My Profile where you select the page where you can “Add an OpenID” to your account.  You click on the “Add an OpenID” link, specify your OpenID, and then authenticate yourself to your OpenID provider.  If you authenticate yourself successfully, your provider tells LuxSci that you indeed are authorized to use the OpenID that you specified.  LuxSci then associates this OpenID with your account.

Next time, when you want to login to LuxSci’s WebMail, you can click on the OpenID link on our Login page (or any public page of our site) and repeat the process of specifying your OpenID and authenticating yourself.  If your authentication is successful, your OpenID provider tells LuxSci that you have logged in and LuxSci looks up who you are based on the OpenID you have entered.  If it finds you, because you have previously authorized use of this OpenID for logging into your account, you are logged in to your LuxSci WebMail account.

The key points of this process are:

• You have to authorize LuxSci to accept your OpenID for use in logging into your account ahead of time, before it can ever be used for such a purpose.  Random unauthorized OpenIDs themselves have no ability to log anyone into LuxSci.
• Your OpenID itself is like a username and not like a password — it does not need to be secured or protected.  Knowledge of your OpenID does not by itself compromise your security.
• LuxSci must communicate back and forth with your OpenID provider’s servers directly to verify if you have authenticated with them successfully and to read your contact information from them.
• Your LuxSci username and password are never used in an OpenID login scenario.  Even if the security of the OpenID is poor, your LuxSci username and password are never sent over the Internet.

So, how secure is the use of OpenID?

The security of OpenID rests in the security of the OpenID provider that you are using.  While the “authentication” with your OpenID provider happens in your web browser, and the basic parameters of the interaction of the provider with LuxSci are well-defined,

• There is no guarantee that the authentication is happening over a secure (SSL) connection.  The connection could be insecure and any usernames or passwords that you send could be eavesdropped upon.
• The OpenID provider could use any means to authenticate you from a simple username and password, to nothing, to much better controls like SSL certificates and hardware devices
• If the OpenID provider’s servers are compromised, or if the provider is untrustworthy, then your OpenID credentials could be stolen, giving people access to all web sites that you have authorized to accept your OpenID as your login.
• Most OpenID providers allow you to “stay logged into” a web site by checking a checkbox.  This means that if you close your browser and re-open it, you can re-log into that website via OpenID without re-authenticating.  Additionally, most websites where you input your OpenID will remember your recently used OpenIDs for you to make it easier to login.  While very convenient, this combination has the potential for someone who sits down at your computer to have very easy access to your recently used web sites.

What can you do to use OpenID Securely?

The first thing you should do is to make a considered choice of what OpenID provider to use.  How much do you trust the security of their systems?  What are the chances of them being compromised?  If you have a login to a service like Yahoo, Google, AOL, Facebook, or MySpace, these all provide OpenIDs to their users; do you trust these logins enough to use them as your identity everywhere?

Here are some suggestions:

1. Choose an OpenID provider that is known for security or which specializes in providing OpenIDs.
2. Make sure that when you authenticate with the OpenID provider, it is always secure over SSL.  This will certainly be the case if you select wisely in #1.
3. Do not have your OpenID provider “keep you logged in” if you are on a computer that might be used by other people.
4. When you leave your computer, “Clear your cookies”.  This will clear any saved OpenID settings and force fresh new logins next time you go to a site.
5. If your OpenID provider supports it, use something other than a username and password for authenticating yourself.  We’ll discuss some of these options, below.
6. If the web sites that you are logging in to support it, disable access via username and password — so that the only way to get in is via your OpenID.

Going beyond usernames and passwords

Entering a username and password is the old standard way of logging into any web site.  It is also the standard way to authenticate yourself to most OpenID providers.  Usually, an OpenID provider is some web site where you already have an account (i.e. username and password) which “supports OpenID” so you can use that information to login to other sites.

Use of a username and password is fine.  However, it has the standard problems … people can try to guess the password or maybe they find it written down somewhere or eavesdrop on an insecure connection.  Once someone knows your username and password, they can login as you from anywhere.

Some OpenID providers offer alternate means of authenticating yourself for enhanced security.   If you use one of these, it makes your logins to ALL OpenID-enabled sites that you use more secure, including LuxSci’s WebMail.

• Phone Call Verify: This service calls your cell phone number to verify your identity when you try to login.  With phone call verify, only people with access to your phone can login as you.
  • myOpenID.com is a provider that supports this form of authentication.

• SSL Certificate: This method installs a small SSL client certificate in your web browser on your computer.  With this certificate, you authenticate yourself merely by using that web browser on that computer — no password is needed.  However, anyone else using your account on that computer could also have unfettered access to your logins.  So, this is great but only for computers that are not shared with others (and perhaps not good for laptops which could be lost or stolen).
  • myOpenID.com is a provider that supports this form of authentication.
  • Verisign’s Personal Identity Portal also supports SSL Certificate.
• RSA Token: With an RSA SecurID token, you authenticate yourself by both entering a username and password and by trying in an alphanumeric from a little security device, sometimes called a “fob”,  where the code changes every minute.  Without knowledge of your password and possession of this token, no one can login as you.  This is a form of two-factor authentication and is very secure.
  • Verisign’s Personal Identity Portal supports this, though you have to buy the token, of course.
• Secure ID Card or USB Token: With one of these devices, you authenticate yourself by having the device in your possession and connecting it to your computer when you want to login.  This is very secure and can be combined with a password for two-factor authentication and strong hardware-based security
  • TrustBearer is the leading company providing OpenIDs that work with such hardware devices.  They also sell their own device.
• Biometrics: Perhaps the most secure way of authenticating is the use of Biometrics.  The most common way to do this is to have a USB device which will read your fingerprint and verify it so that only you can login to your OpenID.
  • TrustBearer supports this.  The account is free. All you need is the fingerprint reader.

Conclusion

Use of OpenID provides a great deal of flexibility in that you can reduce the number of usernames and passwords that you have to remember so that you can have a single sign-on to many web sites.  With fewer passwords to remember, a strong OpenID password that you change frequently, and judicious use of saving or not saving your login state at the OpenID provider, it should be easy to have login security as good as or better than you have currently.

Many free OpenID accounts with well-respected OpenID providers give you enhanced security via SSL certificates or hardware devices.  Use of these options goes a long way to securing your identity while eliminating passwords.  All in all, you end up with more security, faster logins, and less of a headache managing multiple passwords.

In addition to the providers we have listed above, here are some links to other OpenID providers:

• OpenID.net’s List
• List of OpenID Providers from Wikipedia (includes other strong authentication providers).

Similar Posts:

• Lock Down Your WebMail Account with OpenID Access Only
• OpenID: New Login Option for LuxSci WebMail
• Expanded OpenID Login Support
• Use Your LuxSci Account as an OpenID for Single Sign-on to Many Web Sites
• Do I need to Buy an SSL Certificate to use Secure Email?

Tags: biometrics, fob, openid, openid providers, personal identity portal, rsa, rsa securid, rsa token, security, security token, single sign on, smart card, ssl, strong authentication, trustbearer, usb token, webmail

This entry was posted on Wednesday, December 24th, 2008 at 10:57 am and is filed under LuxSci Library: Security and Privacy, TechNotes. You can leave a response, or trackback from your own site.