good post.
I often think in terms of low-med-high security, where low is equivalent
to mailing lists (spam threat), medium is online banking through web
browsers, and high is payment systems using direct cash (digicash,
bitcoin, e-gold, etc because they are instantly redeemable by thieves,
not paypal).
Passwords might get you to medium. Browsers also might get you to
medium. But not beyond. A problem with grand federated dreams is that
while they tend to work a micro/paper level, they also tend to trash
their assumptions & shed their security as they scale up.
Would it be possible to describe in general words what LOA-1 thru 4 entails?
iang
On 31/05/12 04:25 AM, Joe St Sauver wrote:
Peter commented:
#That users know passwords and they "work" is a large part of the problem
#with passwords: the same low entropy security token is used for multiple
#systems with varying levels of sensitivity. When using passwords, both the
#user and the end systems must, in general, be trusted with the security
#token; so say a user uses the same password on 20 services then *all* of
#those services must be secure *and* the user must keep the password secure.
I'd suggest that there are some options that can reduce the credential
explosion while avoiding inadvisable reuse of credentials on multiple
systems, e.g., federated authentication as implemented with Shibboleth
via federations such as InCommon (ObDisclaimer: I work with Internet2
and InCommon, although not on federated auth per se (other than as a user)).
One credential, issued by one's home institution, but usable in a privacy
preserving and secure way across multiple providers.... I think that's a
huge win for users and for the sites that work with them, and this is
certainly a theme/objective of the current US NSTIC (National Strategy for
Trusted Identities in Cyberspace) work.
I'd also suggest that might be helpful to frame the discussion in terms of
NIST 800-63 levels of assurance. Passwords will work for LOA-1 and LOA-2,
but if you need LOA-3 or LOA-4, they won't. (Obviously the various LOAs
involve more than just use of passwords or multifactor authentication,
but for the purpose of this discussion, let's just focus on that one
aspect of LOAs for the time being)
Of course, one problem that we sometimes run into (at least in higher ed)
is that it can be hard to find an application that motivates going all the
way to LOA-4. Pretty easy to dredge up use cases that motivate people to
get to LOA-3 and multifactor, but LOA-4, well that's a bit trickier.
Regards,
Joe
Disclaimer: all opinions strictly my own
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
