OpenID with Strong Authentication

As a conference last week, it was announced that TrustBearer OpenID will be one of two OpenID providers for the Microsoft HealthVault platform:

TrustBearer Labs’ OpenID service will allow HealthVault users to login securely to their account using multi-factor hardware authentication devices, such as smart cards, biometric readers, or security-enhanced mobile phones. The service uses challenge-response authentication to prevent common phishing and man-in-the-middle attacks, which are a growing concern of online service providers.

“Our objective is to give our customers choice and make their web experience easier, while helping them safeguard their privacy,” said George Scriban, senior product manager, Health Solutions Group, Microsoft. “We’re happy to be working with TrustBearer to give HealthVault users the option of using OpenID with their HealthVault account.”

A full story about the announcment can be found here.

A couple weeks ago we announced a new feature that allows users to link multiple tokens to a single TrustBearer OpenID account. The original reason for doing this was to allow users to link a backup token to their account in case their primary token was lost.

I found another purpose for linking multiple tokens: convenience. I keep a keyboard with a few USB ports at the office. Every day I plug this keyboard into my laptop. I linked an additional token to my TrustBearer OpenID account and I keep this token plugged into my keyboard. Now, whenever I’m in the office I don’t need to go searching for my keys to log into an OpenID website.

Hardware that is built-in to our computers is much more convenient to use. I’m sure that Apple has increased video chatting with iSight cameras now included with every laptop they sell. For awhile Dell has been including smart card readers in their business-class laptops. Many IBM & Lenovo ThinkPad laptops include a built-in biometric swipe sensor. Will we ever see a smart card reader in a MacBook? I doubt it. But that’s another conversation…

For those of you who have been issued a smart card, either from your company, government, or private institution, do you carry around a reader with you all the time? Has having the card convinced you to get a laptop with a built-in smart card reader? 

One of our developers came across an interesting post from a user who recorded a screencast of authenticating to TrustBearer OpenID using his Belgian eID. We added support for the Belgian eID to TrustBearer OpenID last week. It is great to see people taking advantage of this support already. Thank you, Xavier, for taking the time to create this video.

Today we’ve added support to link multiple tokens to the same account. Our first release of TrustBearer OpenID allowed each user to associate one token per account. This was by design for security and simplicity. If you lost your single token, you could no longer use your account.

We realized that it was only a matter of time until someone lost a token, or ran it through the washing machine. There was some discussion on the blog around how we should handle this case of lost tokens. Some ideas included sending a SMS message as a one-time unlock, answering a series of Q&A pairs and mailing a token to a pre-determined physical address. While all of these recovery methods are interesting, they either reduced security (SMS, Q&A) or added privacy implications (mailing a recovery token).

The simple backup solution was to allow multiple tokens to be linked. To use this feature, sign in to your TrustBearer OpenID dashboard, connect an additional token to your computer, give your backup token a name and click Add Token.

You can add or remove as many tokens as you would like. Warning: You can also now “abandon” your account by removing all tokens associated with your account. We will not make that OpenID username available to anyone once an account is abandoned.

Give it a try and let us know what you think.

These are three items that I carry with me, almost everywhere. Someday, this will be trimmed down to a single item. This morning, the TBLabs crew stumbled across an article that we are all very excited about. Axel Nennker managed to use a mobile phone as a hardware crypto key with TrustBearer OpenID.

Axel, we’d love to hear more about the phone, and how we could get one. Also, to your comments about no anti-phishing, please see our article on TrustBearer OpenID and Phishing. And on no-unlinkability, we’re working on some enhancements to the TrustBearer OpenID server, including linking & unlinking multiple tokens to an account.Exciting times. We’ll be out at the RSA Conference in April. Contact us if you’d like to meet-up.

Edit: The original post referenced details about this project that I did not have permission to publish. They have been removed. My apologies, Axel.

Shortly after our launch of TrustBearer OpenID, a citizen of Finland tried to use his Finnish eID (FineID) with no success.  We send a request to Finland’s PRC and promptly received a small suite of sample cards.  In less than 2 days of device coding and debugging, the FineID was added to the suite of supported devices.

This has turned out to be yet another great example of how TrustBearer Live makes it easy to tack on additional support without dealing with new software downloads and the headaches that brings.

If you run into any troubles using your FineID on our OpenID Provider, please let us know by contacting info@trustbearer.com.

It’s the season of political campaigns. And in this season, the vernacular of campaigning begin to swell into other areas- with front runners, presumptive nominees, comeback winners, and so forth.

For instance, we’ve learned recently the HD-DVD has dropped out of the HD format war; Blu-Ray is declared the apparent victor.

Well, in this same spirit, Paul at In Context analyzes the standards campaigning in the digital public identifier area, which at this point can be reduced to i-name vs. OpenID. In short, he finds that OpenID is not only running a better campaign, but really offers a better value:

OpenIDs offer something to people that i-cards don’t. Even run of the mill, freebie, URL-based OpenIDs give you a public identifier that you feel like you own. And the i-name flavor of OpenIDs give you a public identifier that you really do own cuz you’re not locked in to a particular OpenID provider.

OpenID is the winning, lightweight, technology for public, low-value transactions.

• Why winning? The OpenID community blended together the three competing lightweight technologies (LID, OpenID, and i-names) into a unified specification, community, code, and foundation.
• Why public? Because the appealing notion of having OpenID URI that’s mine (e.g. “=paul.trevithick”) also has the side-effect of projecting the same identifier to every relying site allowing me to be easily tracked. To be fair, there is a “directed identity” feature of OpenID that I can use to prevent this–I can just type in the URI of my OpenID OP instead. But I still think the perception is that an OpenID is mostly public.
• Why low-value? Because its simple and lightweight architecture does not incorporate a client component, end-to-end crypto, anti-phishing protection, etc. necessary to support higher value transactions and other privacy-enhancing features. But its great for logging in to blogs, etc.

Now, if OpenID does become the de factor public identifier, i-names would be an apt potential running mate.

This has been a topic of discussion over the past week around the office. We are all using TrustBearer Keys with OpenID on a daily basis, and I’m doing my best to not lose or break my key. I finally decided to add my TB Key to my physical keychain. Would you believe it’s not the most expensive item on that ring? That Volkswagen key fob is a salty $180 to replace. I know. Crazy. That’s how much it costs for the dealer to copy it onto another fob. Just the key… Still almost $100!

That cost has been a really good reason for me not to lose my car key. But, it’s going to happen one of these days. And I’ll roll back to using the valet key. So, should we offer a TrustBearer Key backup service? Actually, that’s not possible. At least not with the current configuration of the TrustBearer Key. The 1024-bit RSA keypair is generated on the token, and this key cannot be exported. We could offer an escrowed version in the future… but do you really want us to have a copy of your private key?

Another option, suggested earlier this week, is to allow users to link multiple keys to a single OpenID account. Similar to escrowing the keys, this provides users with a backup. Except in this case, the user is in control. We could implement this in a reasonable amount of time. It provides a decent way for users to maintain high security of their account, and have a backup. But, there’s always the cost. Have I copied my VW key yet? Nope. ($100 for a key?!)

VeriSign’s Personal Identity Provider allows users to link a One-Time Password token to their OpenID account. I gave this a try with my PayPal Security Key. It worked very well. I really liked the fact that I could recycle my PayPal OTP with VeriSign’s OpenID provider. VeriSign handles forgetting or losing a token with two options: By either using email (default) or SMS to send a one-time PIN. Linking my mobile phone was simple, and even though I’m not sure if it’s more secure than email, I preferred using the SMS method. But, the email option is the default and it cannot be disabled. Wait. I have a hardware token that greatly reduces the chance of someone guessing my password, but my email account is still a backdoor? Yup. I had this same thought when I clicked on the “I don’t have my PayPal Security Key” button when logging into PayPal. I understand that locking users out of their accounts is a bad thing, but any worthwhile malicious hacker is going to attack the weakest link: in this case, an email password.

TrustBearer OpenID works with higher security devices than OTP tokens like the PayPal Security Key. As a user of this service, I expect more than an email password to be thrown as an identity challenge if I lose my token. Is SMS the answer? As I mentioned earlier, it seems better, but I doubt it’s as secure as my non-exportable 1024-bit hardware key.

We could come up with a list of questions to which only the true owner will know the answers. How about 10 questions? 20? How many human-answerable questions are equivalent to the security of the hardware tokens we support? Sure, it’s going to be inconvenient, but that’s the point. I haven’t lost my VW key, because it is going to be extremely inconvenient to replace. But, I will shell out the $100, and go to the dealership (the only place that can copy the key) when I do lose it.

How inconvenient should we make recovering your access?

We have a growing feature list from users of our OpenID by TrustBearer.  If you have a feature you would like to see - send us an email at: info@trustbearer.com  We’re really excited about our TrustBearer platform and how quickly and easily we can support new devices.  We will soon be releasing support for Advanced Card Systems (ACS) cards and tokens as well as a couple of others that we will announce later.  Stay tuned.  

Aaron Topance on big league OpenID providers that don’t accept OpenIDs from other providers:

There seems to be a trend, as of recently, for large companies to become OpenID providers, but now allow logging into their service with your OpenID account. The trend I’m noticing, is everyone wants to be a provider, but no one wants to support OpenID logins. Well not “no one”, but not the major players. Consider the following major corporations or web sites that are OpenID providers:

• America Online
• Orange
• LiveJournal and Vox
• WordPress.com
• Yahoo!
• Blogger
• Verisign
• … and more

Supposedly, news has hit the front that Microsoft will be supporting OpenID as a provider, and rumors have it that your GMail account can be used as an OpenID identity. But what about logging into these providers with an existing identity? Here’s the question posed: Can I login to AOL, or create and AOL account, with an already existing OpenID identity? What about LiveJournal? WordPress? Yahoo!? Blogger? etc.

There’s an interesting discussion on Mark Evan’s blog about the potential of a killer application for OpenID:

One of the biggest challenges facing OpenID is it’s a solution (universal identity management) looking for a problem to solve.

Sure, it’s a pain having to remember different usernames and passwords (unless you lazily use the same ones for everything) but most people don’t see it as a huge issue, which means OpenID has failed to gain much traction. And to be frank, that won’t change much even with major players such as Google, Yahoo and AOL starting to climb on the OpenID bandwagon recently.

One of the applications the Evan’s points to with some enthusiasm is PageOnce, which is a universal dashboard for the web.

Johannes Ernst’s discuses the business ramifications of Yahoo joining the OpenID space:

Instead of being a technical curiosity, web businesses can now assume that the majority of their visitors have an OpenID. Okay, Yahoo and AOL and Blogger and all of the existing implementations don’t add up to more than 50% of internet users, but you can bet that more telcos become OpenID providers for their broadband customers, as Orange showed, and that all major internet portals, Microsoft and Google included, will offer OpenIDs with each of their accounts shortly. (It’s easy for them to do, and they don’t want to lose even one of their subscribers for the reason that they didn’t add a small bit of code to their site, that, boy, might even benefit them strategically, and not just create competitive parity.) It’s a very safe assumption for web businesses that by the time they can do anything about OpenID, regardless how fast they move, more than 50% of their visitors will have an OpenID, and Yahoo!’s move yesterday made that a virtual certainty.

As OpenID gains recognition, how will other standards be developed to cooperate with decentralized single-sign-on?

Scott Kveton considers portable social networking and solutions that make it viable along side OpenID:

Social network fatigue is getting worse with every new site that comes along and it doesn’t have to. I should be able to sign up for a site with my OpenID and be prompted to import my contacts/friends accordingly. Ideally I could import them based on some criteria or tag; friends, colleagues, co-workers, etc. In the very near future, you won’t go to social networking sites to interact with your friends … every single site will have social networking built in.

There are a couple of solutions coming down the line. Tom and the folks at Barnraiser have been working on a portable social network solution that is based on OpenID. Videntity and claimID have also been working on ways to share contacts based on XFN. Both of these solutions adhere strictly to the limited format defined for XFN. These solutions suffer from the fax problem; faxes weren’t interesting until everybody had them … so how did they take off? There are also several other efforts as well.

Kveton post also touches on an interesting profile exchange protocol for OpenID, SREG.

We designed TrustBearer OpenID to thwart phishing and man-in-the-middle attacks.  We do this through a site verification scheme that occurs in the plugin.  It is done with PKI and also allows the issuer to delegate trust to other third parties.  Ultimately you get the best of all scenarios - simpler usage by reducing passwords, strong user authentication, and reduced phishing and man in the middle.

Using TrustBearer OpenID on Linux is easy.

Doing so requires PC/SC Lite: most distributions include this package, for example as “pcscd” (Debian / Ubuntu) or “pcsc-lite” (Red Hat / Fedora).

First install, then start the service with “/etc/init.d/pcscd start” (Debian / Ubuntu) or “services pcscd start” (Red Hat / Fedora). To use the TrustBearer Security Key, first download the drivers for the ASEDriver IIIe Reader USB from Athena Smartcard Solutions and extract the files. Run “./configure” followed by “make” and “make install.” You will need the PC/SC Lite development files, usually provided by the distro in a separate package. You will need to restart PC/SC after installation, then just plug the key into a USB port.

(Note: these instructions are for x86 architectures; using another architecture like AMD64 is possible, but requires the use of 32-bit versions of PC/SC Lite and Firefox, plus some more work.)

The well known open source content management system (CMS), Drupal, has released its 6.0 version, which included built-in support for the OpenID 2.0 specification.

Given Drupal’s CMS supremacy , we will likely see many more blogs and websites accepting OpenID in the near future.

It also worth noting the work of JanRain developing previous OpenID support in Drupal.

In an effort to improve user security and convenience with online applications, TrustBearer Labs has released a secure OpenID service combined with its TrustBearer Access software that eliminates the risk of using multiple passwords across multiple sites while providing a central and secure way for users to login. The system leverages authentication devices such as smart cards, usb tokens, and fingerprint biometrics to provide advanced security and convenience.

As with OpenID, TrustBearer’s products provide users with a clean experience using credentials and digital identities with everyday services and applications. It requires no middleware software but rather works through the web browser on Windows, Mac, and Linux platforms - making it instantly deployable. TrustBearer leverages existing authentication devices, including the already over 6 million deployed Common Access Cards and PIV smart cards issued by the US and foreign governments with planned support for a variety of other national and government ID cards.

OpenID is an open architecture identity platform that allows users to have one ID which they use across a variety of online websites. While still in its adoption phase, the OpenID standard is steadily recognized by industry leaders such as Yahoo, AOL, and others. There are approximately 10,000 web sites and services that support OpenID and its growth and importance will continue.

More information on OpenID with TrustBearer including information on obtaining a TrustBearer Security Key for use with OpenID can be found at:https://openid.trustbearer.com

About TrustBearer LabsTrustBearer Labs delivers adaptive and effective identity solutions by creating software that simplifies and extends the use of authentication credentials. With over 10 years experience in developing applications in government, consumer, and health care - TrustBearer Labs is a recognized expert in making strong authentication and security simpler and more effective.