I need to be on a watch of what people do. So can i atleast restrict
them to use only one id with which they login the first time?
because i have to calculate their usage and all and fix them
specific download quotas. so i shud make sure that the user doesn't
use another openid to login and continue using the website. pls
advise..
Um . . . no, OpenID (and this applies to any authentication system)
is not the answer. There is NO authentication system (and don't trust
anyone in the world who tells you otherwise) that can guarantee you,
over the anonymity of the 'net, a given user is not someone who has
dealt with you before. Simply impossible. Individuals (important
distinction from users, here - an individual is any person at the
other end of a keyboard, users are how you know them at your site)
cannot be FORCED to use the same credentials consistently. You
*might*, conceivably, receive an offer from some mercenary team that
would meet (on your behalf) potential "clients" (wannabe "users"),
babysit them 24/7, and give you a call every time the individual was
about to log in so you could confirm their username - but this is an
exception, not the rule, and in any case unfeasible for your
non-profitable music site ;)
Unless you're the RIAA . . . but even they haven't gone that far. Yet ;)
You can limit your popularity with certain OpenID's, in an attempt to
combat such tactics as "subdomain1.user.com, subdomain2.user.com,
subdomain3.user.com", but what do you do if you see
"profile.yahoo.com/D1105508B89AFBBF162C4B88966"? (Note: probably not
a valid URI for Yahoo, just a quick example.) Does this mean that
users are availing themselves of an ability to present a different
URI to an OP on each authentication, to avoid tracking? Perhaps it
simply means that the user has created more than one Yahoo account?
(Which, by the way, are free.) How do you propose to keep the user
from trying "another OpenID" when that OpenID is the very method by
which you would identify users?
You can track their IP address (this could be part of an
authentication system, complementing OpenID), banning numbers and
then entire blocks with excessive use (the exact definition of
"excessive" being up to you), but some of them will just go through
free proxies. This is self-limiting; if more than one person uses a
proxy, you just catch it faster. If you do go that route, automate
it, because new proxies are always becoming available (and old ones,
disappearing), and you don't want to waste your time on that endless
task.
I don't recommend it, though; you can go a long way with such
countermeasures, and STILL have problems. You can hope to keep the
costs down to manageable levels, at best. But users who want to
"cheat" will still do so; *they* can outthink *you* - not all of
them, and not all of the time, but a few of them will always be
slipping through. The strategy I recommend is *rewarding* users for
staying with a single OpenID: make the benefits outweigh whatever
short-term gain they might receive, so users won't *want* to cheat
that way.
This *would* encourage people to use the same OpenID for logging in,
no matter where they are. Find out which OP's (if any) offer a unique
password for logging in to predefined sites (OSP: one-site-password),
and recommend them to users, so the OP doesn't became a gateway to
all that user's *other* sites if they log into your site from a
public terminal.
-Shade
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
