Is there a best practice on how Openid consumers can find out whether
re-authenticating the user, via the OpenID server, once in a while can
lead to improved security?

The security of normal one-time password systems (SecurID, SMS codes,
Yubikeys, ..) can be improved if you ask for a new one-time password
once in a while.

Of course, the OpenID server cannot do this on its own, so it needs to
be initiated by the OpenID consumer, but that will not happen without
clues that it is a good idea to do perform re-authentication.


Would this be a worthwhile addition to the
openid-provider-authentication-policy-extension document?  I'm thinking
that the Response Parameters should include an optional parameter that
imply that a one-time-password system was used, which suggests that the
RP may re-authenticate the user more frequently.

It may be useful to generalize this idea somewhat, but I can't come up
with a better abstraction.  Even re-authenticating using password may
improve security in some situations (although I suspect most passwords
are cached by browsers anyway these days).  Ideas welcome.


Btw, this idea originated from discussions on
specs mailing list

Reply via email to