OpenID with Strong Authentication

A couple weeks ago we announced a new feature that allows users to link multiple tokens to a single TrustBearer OpenID account. The original reason for doing this was to allow users to link a backup token to their account in case their primary token was lost.

I found another purpose for linking multiple tokens: convenience. I keep a keyboard with a few USB ports at the office. Every day I plug this keyboard into my laptop. I linked an additional token to my TrustBearer OpenID account and I keep this token plugged into my keyboard. Now, whenever I’m in the office I don’t need to go searching for my keys to log into an OpenID website.

Hardware that is built-in to our computers is much more convenient to use. I’m sure that Apple has increased video chatting with iSight cameras now included with every laptop they sell. For awhile Dell has been including smart card readers in their business-class laptops. Many IBM & Lenovo ThinkPad laptops include a built-in biometric swipe sensor. Will we ever see a smart card reader in a MacBook? I doubt it. But that’s another conversation…

For those of you who have been issued a smart card, either from your company, government, or private institution, do you carry around a reader with you all the time? Has having the card convinced you to get a laptop with a built-in smart card reader? 

These are three items that I carry with me, almost everywhere. Someday, this will be trimmed down to a single item. This morning, the TBLabs crew stumbled across an article that we are all very excited about. Axel Nennker managed to use a mobile phone as a hardware crypto key with TrustBearer OpenID.

Axel, we’d love to hear more about the phone, and how we could get one. Also, to your comments about no anti-phishing, please see our article on TrustBearer OpenID and Phishing. And on no-unlinkability, we’re working on some enhancements to the TrustBearer OpenID server, including linking & unlinking multiple tokens to an account.Exciting times. We’ll be out at the RSA Conference in April. Contact us if you’d like to meet-up.

Edit: The original post referenced details about this project that I did not have permission to publish. They have been removed. My apologies, Axel.

This has been a topic of discussion over the past week around the office. We are all using TrustBearer Keys with OpenID on a daily basis, and I’m doing my best to not lose or break my key. I finally decided to add my TB Key to my physical keychain. Would you believe it’s not the most expensive item on that ring? That Volkswagen key fob is a salty $180 to replace. I know. Crazy. That’s how much it costs for the dealer to copy it onto another fob. Just the key… Still almost $100!

That cost has been a really good reason for me not to lose my car key. But, it’s going to happen one of these days. And I’ll roll back to using the valet key. So, should we offer a TrustBearer Key backup service? Actually, that’s not possible. At least not with the current configuration of the TrustBearer Key. The 1024-bit RSA keypair is generated on the token, and this key cannot be exported. We could offer an escrowed version in the future… but do you really want us to have a copy of your private key?

Another option, suggested earlier this week, is to allow users to link multiple keys to a single OpenID account. Similar to escrowing the keys, this provides users with a backup. Except in this case, the user is in control. We could implement this in a reasonable amount of time. It provides a decent way for users to maintain high security of their account, and have a backup. But, there’s always the cost. Have I copied my VW key yet? Nope. ($100 for a key?!)

VeriSign’s Personal Identity Provider allows users to link a One-Time Password token to their OpenID account. I gave this a try with my PayPal Security Key. It worked very well. I really liked the fact that I could recycle my PayPal OTP with VeriSign’s OpenID provider. VeriSign handles forgetting or losing a token with two options: By either using email (default) or SMS to send a one-time PIN. Linking my mobile phone was simple, and even though I’m not sure if it’s more secure than email, I preferred using the SMS method. But, the email option is the default and it cannot be disabled. Wait. I have a hardware token that greatly reduces the chance of someone guessing my password, but my email account is still a backdoor? Yup. I had this same thought when I clicked on the “I don’t have my PayPal Security Key” button when logging into PayPal. I understand that locking users out of their accounts is a bad thing, but any worthwhile malicious hacker is going to attack the weakest link: in this case, an email password.

TrustBearer OpenID works with higher security devices than OTP tokens like the PayPal Security Key. As a user of this service, I expect more than an email password to be thrown as an identity challenge if I lose my token. Is SMS the answer? As I mentioned earlier, it seems better, but I doubt it’s as secure as my non-exportable 1024-bit hardware key.

We could come up with a list of questions to which only the true owner will know the answers. How about 10 questions? 20? How many human-answerable questions are equivalent to the security of the hardware tokens we support? Sure, it’s going to be inconvenient, but that’s the point. I haven’t lost my VW key, because it is going to be extremely inconvenient to replace. But, I will shell out the $100, and go to the dealership (the only place that can copy the key) when I do lose it.

How inconvenient should we make recovering your access?