OpenId is a great system to provide Sngle Sign on across multiple web applications. (check out www.openid.net)
I already had a simple OpenId server set up on my home domain to test it. However, thinking about authentication, I'd prefer to have something where just capturing my user/password wouldn't work. (especially if that then gives you access to ALL my accounts).
The rule to authenticate someone is to check at least one of the following
- something they know (user/pass)
- something they have (physical key, card)
- somehting they are (biometrics)
Checking just one element can lead to problems (theft of object, password stealing etc). Good practice is therefore to use at least 2 of the elements together.
So, I think what I want is to centralise with OpenId, and then enter a password but on a separate physical object that I always have with me.... my phone!
By changing my OpenId server, it will send an SMS to my phone requesting authentication. The reply to the SMS must be the valid password (stored on my OpenId server).
Hence, the only way to authenticate is to have both the password AND my physical phone! And to disable my logins (in case of losing my phone for instance), I just need to reconfigure the phone number in the server.
To make the phone experience even better, I can use onX to detect a magic word in the requesting SMS (OpenId for example) and popup a notification dialog to request the password, and automatically send the response.
Well, thats the plan anyway....
And in phase 2, add a biometric validation (face recognitiion?) to the phone app! (TODO...)
Inscription à :
Publier les commentaires (Atom)
Aucun commentaire:
Enregistrer un commentaire