Hi. Is there a best practice on how Openid consumers can find out whether re-authenticating the user, via the OpenID server, once in a while can lead to improved security?
The security of normal one-time password systems (SecurID, SMS codes, Yubikeys, ..) can be improved if you ask for a new one-time password once in a while. Of course, the OpenID server cannot do this on its own, so it needs to be initiated by the OpenID consumer, but that will not happen without clues that it is a good idea to do perform re-authentication. Thoughts? Would this be a worthwhile addition to the openid-provider-authentication-policy-extension document? I'm thinking that the Response Parameters should include an optional parameter that imply that a one-time-password system was used, which suggests that the RP may re-authenticate the user more frequently. It may be useful to generalize this idea somewhat, but I can't come up with a better abstraction. Even re-authenticating using password may improve security in some situations (although I suspect most passwords are cached by browsers anyway these days). Ideas welcome. Thanks, Simon Btw, this idea originated from discussions on <http://forum.yubico.com/viewtopic.php?f=9&t=126>. _______________________________________________ specs mailing list email@example.com http://openid.net/mailman/listinfo/specs