Secure OpenID matters to Microsoft

Kudos to Microsoft for announcing its intention to bring OpenID support to HealthVault, and congratulations to TrustBearer for being HealthVault’s first announced OpenID provider!

Assuming Microsoft isn’t just in this for the press release, and gets support for this turned on fairly quickly, this is the first public enterprise-grade OpenID Relying Party of which I’ve become aware. Very nice work to all involved!

image The biggest problem I have with TrustBearer being the only announced OpenID provider for HealthVault is that users will be obligated to buy a $40 gizmo from TrustBearer. Or provide their own second-factor hardware from an obscure list of approved devices (which surprisingly doesn’t even include PayPal’s obnoxious “use-anywhere” Security Key).

No one should pay anybody a single cent for any of these things! Technology isn’t supposed to put extra junk into your pocket. With the decade-old promise of device convergence, technology has been faithfully shucking devices out of your pocket. As an example, you probably have a phone, a day planner, a music player, and a camera all in one device in your pocket right now. And if used correctly, that single device (your cell phone) also serves very effectively as a second authentication factor that can be just as strong as the stuff peddled by TrustBearer and other security hardware vendors.

With luck, the smart folks at Microsoft (George Scriban, Kim Cameron, Mike Jones) understand that if there’s only one approved OpenID provider for HealthVault (and an expensive one, at that), then they aren’t really supporting OpenID. They might just as well start charging users for hardware to use to secure Live ID. Remember, fellas, that there are some of us OpenID providers out here (such as myVidoop, that of my employer) that provide two-factor security at absolutely no cost to the end user.

[Update: fixed a couple of minor typos.]


  1. Tony B.
    Posted June 18, 2008 at 9:56 pm | Permalink

    Is TrustBearer anything like

  2. Posted June 19, 2008 at 6:55 am | Permalink

    So they ‘support’ OpenID as long as you choose to store your identity with the provider of their choice? Lame. I would think health care portals would be more immune to stupid stunts just to be buzzword compliant.

    OpenID was created to solve a set of problems that it cannot do until companies start trusting end users to be capable of managing their own identity. When companies roll out OpenID like this it just makes me sad. They either don’t get it or don’t care and just want to be cool and slap an OpenID logo on their site.

  3. Klint Borozan
    Posted June 19, 2008 at 5:44 pm | Permalink

    My challenge with this is it continues to propogate the token notion of purchasing another device you need to carry,,,,in addition to the token you have for work, etrade, paypal, fidelity, the bank, etc.
    JanRain announced a secure two factor authentication for OpenID, named CallVerifID, that uses the cell phone as a proxy for the token or the stub mentioned in the blog, and uses an out of channel authentication voice call to make it safe. Billions of phones out there alread. So, as deployment of phone based out of channel authentication proliferates for OpenID, you could use it for everything, and eliminate the little hardware gremlin from the picture. My parents are 70 and try to keep up with security at my urging, but will mix up tokens and stubs. But when using CallVerifID, they can follow the instructions while receiving the phone call, and remember how to use it next time. In the case of the healthcare vertical, Doctors are the same. They demand simplicity and things that make sense or they rebel and wont use it and demand change. In the case of the call, once they are on the line, the doctor can press a number to even be routed someplace else, ie nursing station to check on patients as they are logged in….infinite flexibility and simplicity. Ohio Health just implemented another version of the same and had a token burning party for 4k tokens. The “Smart Guys” at Microsoft need to work with JanRain as a secure OP for Healthvault and let them bake off. If for no other reason than just the cost and aggravation associated with managing, supporting, and selling the stub.

One Trackback

  1. [...] been to blog about this when the feature goes live later in the week. But there’s been some online discussion already, and I’m sitting here at the horse show in waiting mode anyway, so it seems like now [...]

Post a Comment

Your email is never shared. Required fields are marked *