Let me in…

I currently considering going to both an OpenID/Two-Factor Authentication system. I know that Verisign offers PIP which is a “Personal Identity Portal” that incorporates (OpenID + Two Factor Auth via Phone and/or KeyFob).

I’ve seen the writing on the wall, being a consumer of online services (and IT consultant), I know that I have to manage hundreds of ID/Password pairs, being involved with computer security, I know that I need to be using “Passphrases” of varying complexity. So now we have have the age old conflict between “Security vs Convenience”. With the world we live in, I know that convenience (almost) ALWAYS wins out in the end (even if that means the people stop using the service). I also know the realities of current (and possibly future) web technology and how easy it is to get a users password (guessing, brute-force, man-in-the-middle, key-logging, and the oh-so-easy: social engineering), so this almost forces us to assume that the password is always insecure, and the only way to mitigate that fact (in my eyes) is to start widely adopting two-factor (or more) authentication. Yes, it is still vulnerable to social engineering, but it does make it much harder, and the authentication pair is only useful once.

If you have a PayPal account, you can order their $5 dollar keyfob, and then register it with VeriSign and use it with their PIP system. Now you have a pretty secure login system to any provider that supports OpenID. You can find a good article about it here: http://systembash.com/content/using-the-paypal-verisign-security-key-with-openid-for-two-factor-authentication/

Leave a Reply