Implications of OpenID - Google Tech Talk
July 10, 2007 | Leave a Comment
The embeded video comes from a Google Tech Talk given by Simon Willison.
From the abstract:
Simon Willison OpenID is an emerging standard that provides simple, decentralised … all ยป authentication for the Web. OpenID follows the Unix philosophy, solving one small problem rather than attempting to tackle the many larger challenges posed by online identity. This talk will explore the implications of OpenID, and explore the best practices required to take advantage of this new technology while avoiding the potential pitfalls.
Tags: authentication, decentralized, google, google tech talks, identity, identity management, open id, openid, password, passwords, simon willison, standard, unix, willison
Password-less SSH Login
May 8, 2006 | 14 Comments
On occasion I have the need to establish trust relationships between Unix boxes so that I can script file transfers. In short, here’s how you leverage SSH to do that. Using the example of trying to connect from server ‘ender’ to get a file on ‘bean’ follow this example:
- Connect to ender
- type:
ssh-keygen -t rsa- default directory for keyfiles will be ~/.ssh/
- if you do not want to be prompted, leave passphrase blank
- copy the contents of .ssh/id_rsa.pub (there should only be one line)
- place this line on bean, in ~/.ssh/authorized_keys
- that’s it, you should now be able to ssh/sftp/scp from ender to bean without being prompted for a password!
For further detail and a more complete example check this site out.
Update: You must have "RSAAuthentication yes" in your /etc/ssh/sshd_config file. On many Linux installations this setting is commented out in a default install
Tags: authentication, keygen, linux, pass phrase, password, scp, sftp, solaris, ssh, system administration, unix
Leveraging Varying Level of Assurance
March 9, 2006 | 2 Comments
In higher education we all seem to struggle, at least a bit, with coupling together our many varied web services and applications. Part of the difficulty I see is the varied needs for how secure each of the services we delever need to be.
A common reaction to this is to lock things down tightly, requiring your users to reauthenticate on a regular basis to access even the most trivial of services. In this situation users feel encumbered by the security and are less satisfied using these services. Face it, who doesn’t love sites that know who we are and let us do the things we expect when we go back? (ex. Wordpress, Gmail, Flickr, Amazon, etc)
For the purposes of this article, I am defining level of assurance as how sure we are that the user on the other end of the browser is who we think they are.
I imagine an ideal situation where we identify a required level of assurance for each service, then check against an appropriate indicator.
A preliminary structure for varying levels of assurance:
| LOA | Who/How? | Example Services |
|---|---|---|
| Level 0 | Anonymous | Homepage, various public facing pages, etc |
| Level 1 | Long term cookie | Targeted Announcements, News Reader, Personalized Content, Bookmarks, etc |
| Level 2 | Active browser session or desktop domain login |
Email, Learning Management System, Calendar, Groups Tool, etc |
| Level 3 | 30 minute session | Financial Information, Grades, Address Information, etc |
| Level 4 | Every usage | Password change, others? |
In this scenario, users would be asked for credentials less frequently for less secure needs. This in turn encourages them to use many of these types of applications more frequently. In those less secure applications, “ticklers” can be placed encouraging them to register for classes, update address information, or check in on classes in the learning management system all as appropriate. This allows us to draw users into the more secure areas just like Amazon draws us into making a purchase, but always allows us to place things in our shopping cart.
Tags: browser, higher education, identity, identity management, level of assurance, loa, password, portal, session
NERCOMP: Identity Management SIG
September 27, 2005 | 38 Comments
Yesterday we attended the NERCOMP Identity Management Workshop at the College of the Holy Cross.
Steve Carmody of Brown University explained an ideal infrastructure including a reminder for me to review “Identifiers, Authentication, and Directories: Best Practices for Higher Education” by Internet2. Carmody had a lot of great things to say, giving a solid overall update of how Internet2 and MACE are coming along with Shibboleth, Grouper, Signet, and various other initiatives. He also pointed me at Sun’s XACML Implementation which is very interesting.
Christopher Misra of UMass Amherst and Robert Banz of UMBC both presented on their current IdM initiatives. They both seem to have established IdM infratructures which need one enhancement or another.
In the final time slot was a general group discussion. I took this opportunity to ask how schools are establishing and maintaining credentials remotely. No one had an answer that was ideal, I suggested our current proposal and no one seemed to have any criticisms. One person suggested that maybe we don’t need to have as secure a system as we’re proposing to merely secure someone’s email. My reply to this was in a federated world with connections to the federal PKI bridge, InCommon services, and more, we are securing far more than email. It is our responsibility to have as high a level of assurance as possible.
Tags: authentication, authorization, credentials, grouper, higher education, identity, identity management, internet2, MACE, NERCOMP, password, passwords, shib, shibboleth, signet, xacml
Authentication Definition
September 26, 2005 | 5 Comments
According to Internet2, authentication or AuthN is defined as:
Authentication is the process of establishing whether or not a real-world subject is who or what its identifier says it is. Identity can be proven by:
- Something you know, like a password
- Something you have, as with smartcards, challenge-response mechanisms, or public-key certificates
- Something you are, as with positive photo identification, fingerprints, and biometrics
Once again, this is a nice concise definition. It’s good to have these clearly defined to eliminate any confusion or debate when discussing, similar to what I did with my “Single Sign-On Definition” post.
Tags: authenticate, authentication, authn, biometrics, challenge-response, definition, fingerprints, identity management, internet2, middleware, password, passwords, smartcards
Establishing and Securing Identity in a Distributed World
September 2, 2005 | 10 Comments
We have found ourselves in an interesting position. We need to establish, ensure, and maintain identity with remote users without ever exchanging SSN or other highly confidential identifiers or information. Popular solutions include security questions, requiring initial email address, authoritative remote identity providers (ex. notary), or physical presence. First let me debunk all of these in our environment.
Security questions:
- limiting questions to predetermined ones, simplifies ability to automatically guess answers.
- with increased personal information becoming available online, personal questions may have answers easily found.
- open questions often lead to simple question/answer combinations (ex. what color is the sky? blue.)
Initial email address:
- we provide email accounts as a service, requiring an email account to get an email account is laughable
- expired or abandoned accounts are a dead end for ongoing use
Remote identity providers:
- time consuming and cumbersome for the user
- costly for the user
- much manual work
- difficult globally
Physical presence:
- could be time consuming
- online education implies never needing to come to campus
- difficult globally
- not remote, if they have to come here
One potential solution in this space is Faces. This is also potentially cumbersome and the cost is unknown.
Now let me present our solution.
Upon account creation at the institution (student, faculty, guest, alumni, etc), we generate a 32 character password change authorization code, or PCAC, (ex. KLAS-DFHL-KASD-FKLJ-KKL3-243I-HF34-POI2) and a unique username. The account is initially locked. The user receives the username and code through the postal service to a known address, in person, or it is presented to them online if they are able to establish an account-creating relationship online.
Once they have the PCAC, they are instructed to keep it in a safe permanent location (ex. with birth certificate or social security card). They are also intructed to use this code to activate their account and set their password online. From anywhere in the world they can enter the PCAC and username into a secure web form, to set their password.
Once the user has a known username and password combination they use this to access all their services.
This same procedure can be used in the future to instantly reset their password if they have lost or forgotten it. Of course if they know their password they will always be allowed to use that to change it to something else.
At this point they have established identity, received credentials, and with their PCAC can always recover from lost or forgotten passwords. All these steps can be performed online, self-service. The security of their account is primarily in their hands. No one at the institution ever knows their password, and their is no formulaic way of figuring it out. There are no guessable hints.
All of this explains the situation where the user has their PCAC or password. In the contingency where they have lost or misplaced their PCAC, they can have a new one created immediately in person, or request a new one to be mailed to them via an online form.
I have posted this with hopes that people will review this and comment on their opinion of its viability. Please leave comments if you see problems or advantages in this we have not.
This solution is not useful for schools with a PKI solution, but could be used very easily as a cheap intermediary solution while that area matures.
Flowchart of this process (PDF)
PCAC Example (PDF)
Jon Emmons’ article on this same topic: Password Management in an Identity-Theft World
(This proposal authored by Jon Emmons and Zachary Tirrell - 2005)
Tags: faces, identity, identity management, information technology, it, Jon Emmons, password, password management, passwords, PCAC, pki, pooch, security, Zach Tirrell, Zachary Tirrell
Remember faces, recover a password?
July 20, 2005 | 3 Comments
Last fall when I was in San Diego for the CAMP Identity Management and CAMP Enterprise Authentication Workshop put on by Educause and NMI-EDIT, I saw a very strange product demo. At the time I ignored it thinking it was a bit too strange. However for the last six months it has remained in my head.
The product is called Passfaces(tm) by the company Real User which works on what they call “cognometric authentication.” In short, you remember a bunch of faces and this allows you to get back your password if you have forgotten it, or can be used in place of the password altogether. Can you imagine clicking on 5 faces and getting logged in instead of entering a password? From my perspective, the best use would be as an alternate to ridiculously insecure questions like “What is you mother’s maiden name?”, “What’s you favorite pet’s name?”, etc.
According to Real User, the system works because:
The Passface(tm) system is based on the human brain’s remarkable ability to recognize individual faces*. This underlying principle is supported by extensive academic research and cognitive psychology experiments. Real User’s own long-term trial with Passfaces(tm) at our Web site has operated successfully for over 15,000 users - some of these returning after two years of non-use and being able to immediately recognize their passfaces.
For more detail on the science behind this, check some of their white papers. I find the technology combined with psychology here fascinating. The person giving the demo at the conference said they’d been running it for over a year without any difficulty.
Tags: authentication, identity, identity management, password, password initialization, password recovery, psychology, technology