Comments on: Secure OpenID matters to Microsoft http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/ My online identity sandbox Tue, 12 Jan 2010 18:17:35 -0800 http://wordpress.org/?v=2.9.1 hourly 1 By: IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/comment-page-1/#comment-73 IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer Tue, 24 Jun 2008 01:32:49 +0000 http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/#comment-73 [...] been to blog about this when the feature goes live later in the week. But there’s been some online discussion already, and I’m sitting here at the horse show in waiting mode anyway, so it seems like now [...] [...] been to blog about this when the feature goes live later in the week. But there’s been some online discussion already, and I’m sitting here at the horse show in waiting mode anyway, so it seems like now [...]

]]> By: Klint Borozan http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/comment-page-1/#comment-71 Klint Borozan Thu, 19 Jun 2008 23:44:22 +0000 http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/#comment-71 My challenge with this is it continues to propogate the token notion of purchasing another device you need to carry,,,,in addition to the token you have for work, etrade, paypal, fidelity, the bank, etc. JanRain announced a secure two factor authentication for OpenID, named CallVerifID, that uses the cell phone as a proxy for the token or the stub mentioned in the blog, and uses an out of channel authentication voice call to make it safe. Billions of phones out there alread. So, as deployment of phone based out of channel authentication proliferates for OpenID, you could use it for everything, and eliminate the little hardware gremlin from the picture. My parents are 70 and try to keep up with security at my urging, but will mix up tokens and stubs. But when using CallVerifID, they can follow the instructions while receiving the phone call, and remember how to use it next time. In the case of the healthcare vertical, Doctors are the same. They demand simplicity and things that make sense or they rebel and wont use it and demand change. In the case of the call, once they are on the line, the doctor can press a number to even be routed someplace else, ie nursing station to check on patients as they are logged in....infinite flexibility and simplicity. Ohio Health just implemented another version of the same and had a token burning party for 4k tokens. The "Smart Guys" at Microsoft need to work with JanRain as a secure OP for Healthvault and let them bake off. If for no other reason than just the cost and aggravation associated with managing, supporting, and selling the stub. My challenge with this is it continues to propogate the token notion of purchasing another device you need to carry,,,,in addition to the token you have for work, etrade, paypal, fidelity, the bank, etc.
JanRain announced a secure two factor authentication for OpenID, named CallVerifID, that uses the cell phone as a proxy for the token or the stub mentioned in the blog, and uses an out of channel authentication voice call to make it safe. Billions of phones out there alread. So, as deployment of phone based out of channel authentication proliferates for OpenID, you could use it for everything, and eliminate the little hardware gremlin from the picture. My parents are 70 and try to keep up with security at my urging, but will mix up tokens and stubs. But when using CallVerifID, they can follow the instructions while receiving the phone call, and remember how to use it next time. In the case of the healthcare vertical, Doctors are the same. They demand simplicity and things that make sense or they rebel and wont use it and demand change. In the case of the call, once they are on the line, the doctor can press a number to even be routed someplace else, ie nursing station to check on patients as they are logged in….infinite flexibility and simplicity. Ohio Health just implemented another version of the same and had a token burning party for 4k tokens. The “Smart Guys” at Microsoft need to work with JanRain as a secure OP for Healthvault and let them bake off. If for no other reason than just the cost and aggravation associated with managing, supporting, and selling the stub.

]]> By: Steven Osborn http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/comment-page-1/#comment-70 Steven Osborn Thu, 19 Jun 2008 12:55:43 +0000 http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/#comment-70 So they 'support' OpenID as long as you choose to store your identity with the provider of their choice? Lame. I would think health care portals would be more immune to stupid stunts just to be buzzword compliant. OpenID was created to solve a set of problems that it cannot do until companies start trusting end users to be capable of managing their own identity. When companies roll out OpenID like this it just makes me sad. They either don't get it or don't care and just want to be cool and slap an OpenID logo on their site. So they ’support’ OpenID as long as you choose to store your identity with the provider of their choice? Lame. I would think health care portals would be more immune to stupid stunts just to be buzzword compliant.

OpenID was created to solve a set of problems that it cannot do until companies start trusting end users to be capable of managing their own identity. When companies roll out OpenID like this it just makes me sad. They either don’t get it or don’t care and just want to be cool and slap an OpenID logo on their site.

]]> By: Tony B. http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/comment-page-1/#comment-69 Tony B. Thu, 19 Jun 2008 03:56:21 +0000 http://scott.blomqui.st/2008/06/secure-openid-matters-to-microsoft/#comment-69 Is TrustBearer anything like ilok.com? Is TrustBearer anything like ilok.com?

]]>