Hi.

Is there a best practice on how Openid consumers can find out whether
re-authenticating the user, via the OpenID server, once in a while can
lead to improved security?

The security of normal one-time password systems (SecurID, SMS codes,
Yubikeys, ..) can be improved if you ask for a new one-time password
once in a while.

Of course, the OpenID server cannot do this on its own, so it needs to
be initiated by the OpenID consumer, but that will not happen without
clues that it is a good idea to do perform re-authentication.

Thoughts?

Would this be a worthwhile addition to the
openid-provider-authentication-policy-extension document?  I'm thinking
that the Response Parameters should include an optional parameter that
imply that a one-time-password system was used, which suggests that the
RP may re-authenticate the user more frequently.

It may be useful to generalize this idea somewhat, but I can't come up
with a better abstraction.  Even re-authenticating using password may
improve security in some situations (although I suspect most passwords
are cached by browsers anyway these days).  Ideas welcome.

Thanks,
Simon

Btw, this idea originated from discussions on
<http://forum.yubico.com/viewtopic.php?f=9&t=126>.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to