[OpenID] MultiAuth and MultiFactor Authentication
SitG Admin
sysadmin at shadowsinthegarden.com
Fri Jan 30 22:08:04 PST 2009
One of the things I expected we might see if MultiAuth became widely
implemented, is the diversification and specialization of OP's;
instead of a single OP providing (for example) 3 factors, at varying
levels of effectiveness, each OP might focus on handling a single
factor *very very well*, and assume that the user would be involving
other OP's anyway, so there wouldn't necessarily be any weakness in
any single OP not covering more than one factor by itself.
With the suspicion implied in MultiAuth's trust model, though, aren't
we losing factors? If we assume that 1 (unknown) OP is malicious,
doesn't this mean that they would be lying about whether the user
authenticated at all, and therefore we would have to subtract from
our list the factor(s) that OP was assumed to provide? The simplest
setup I see for OP's to provide less than 3 factors (assuming we're
looking at the traditional three) without any being lost is 3 OP's
each covering 2 out of 3 (subtracting any one OP would leave half its
factors covered by each of the other OP's), or perhaps half-a-dozen
OP's (one redundanct provider apiece) if OP's insisted on
specializing down to a single factor. This gets more complicated if
we want to allow for the possibility of one or more of those OP's
going down *and then (still)* having one of the remaining OP's be
malicious.
I'm rethinking whether specialization is likely to occur. It would
enable OP's to start out focusing on just one mode of authentication,
rather than having to compete in all areas from the beginning. The
community's ability to collectively duplicate a major OP's
multifactor authentication would keep users from being easily
"locked-in" without any viable alternatives.
(Seem unlikely? Think of how much money your company might stand to
lose if vital services were unavailable during the switch - and
pretend these vital services are something *besides* OpenID, to
emulate the part where you don't really understand how OpenID works.
Think of the companies that are still spending money on Microsoft
products today, not because they are *unaware* of free alternatives
but because of the loss of productivity they would suffer while their
employees retrained with the new software. If setting up your own OP
takes too long, or too many resources, it may not be viable.)
It looks like the cost:effect ratio might lose more to effect (when
the users prefer to not use so many OP's to establish their identity)
than it stands to gain from reduced cost.
-Shade
More information about the general
mailing list