Strong Authentication and Risk-Based Access Control Would Reduce OpenID Worries

Many of you may have read this post from Gerry Beuchelt of Sun talking about how to protect Sun employees using their OpenID R&D project.

Among the advice - make sure systems are patched, verify the DNS of your ISP is working properly and to double-check the hostname of their OpenID provider.

That is a tall order even for the most technical people. I mean I'm a geek among geeks and I don't think I could accomplish those steps.

But it does give me an opportunity to write about how strong authentication and risk-based access control could help here. Currently we have a product (Oracle Adaptive Access Manager) that provides both functions.

OAAM allows you to use a virtual keypad to enter username and password credentials. This virtual keypad includes such features such as using a background image that you chose (or perhaps chosen for you in an internal environment). It also has other features such as a timestamp, showing a key phrase in the image and the image moves every time it is refreshed. Also the keypad can be virtualized (e.g. driven by your mouse) so that it makes it darn near impossible for a keyboard logger to capture your password.

If more OpenID providers used something like OAAM then it would be much harder for a rogue OpenID provider to be configured.

Additionally risk-based access control (another OAAM feature) would help OpenID relying parties make better access control decisions for a linked OpenID. For example based on prior activity it could assign risk factors (e.g. normally you accessed from an IP in Dallas, but now we're seeing IP access from Outer Elbonia, maybe we should alert a customer care rep to call you before moving that money).

These same principals could also be applied to any other federation scenario including SAML or Liberty based federation like we provide via Oracle Identity Federation.

Of course OAAM has benefits within enterprises who are not using OpenID or SAML but I just wanted to point out some tangible steps people could do to help secure OpenID beyond training people to become DNS engineers.

Comments:

Mark, Isn't this the old Sxip/ Identity 2.0 idea? You make some good highlights about DNS attacks being a vulnerability for this approach-- it removes all layers of protection. What I don't get is how adoption is going to work. The US Government produced an Identity Federation collaboration approach called eAuthentication, and it has seen growing levels of adoption, primarily because, well, it is the US Government. Maybe I'm missing something here, but how is this not the same thing as collaborative federation?

Posted by Joe Solinsky on August 11, 2008 at 11:38 PM PDT #

I've been talking about OAAM since OOW 2007 when it was just acquired and I think it's a brilliant product. I can only hope that the risk analysis engine can somehow be incorporated and/or integrated with other Oracle products (like Database, App Server) more closely in the coming months/years. My presentation and whitepaper on this product are online at http://www.dannorris.com/professional-activities/

Posted by Dan Norris on August 19, 2008 at 11:41 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

bocadmin_ww

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today