Ah joy. It's 12:31 AM of Sunday morning, hence i shouldn't be blogging: but I like the news, and it will take just a minute. Back in June I blogged about SignOn.com , an openID provider that allows you to authenticate using personal cards side by side with traditional password support. In fact, while I was super happy to see the openID-CardSpace starting to deliver I "complained" that the password was still a necessary step for setting up an account. IMHO (and only IMHO): a system is as secure as its weakest link; and while it's real handy to be able to use information cards for authenticating, as long as there is a chance to access the same account via shared secret I am vulnerable to the typical attacks associated to that. Say that somebody calls me and convinces me to reveal my username & password: my accounts is compromised, regardless of the fact that it has infrastructure in place for supporting CardSpace as well. Again: I recognize that going pure card-based authentication is a bold step, and that for acceptance is absolutely reasonable to offer both methods. Back in June I applauded the SignOn guys for their work, and I maintain that position today. That said. I was reading the latest post on Kim's blog , and I there learned that there is another openid provider that supports authentication via personal cards: it's myopenid , by JanRain . MyOpenID does exactly what I was asking for: it allows me to create a new openid without having to establish any password . Let
Read More...