by Nathan on Jun.13, 2007
The other day I was listening to Security Now, a podcast about computer security, and they where talking about OpenID. I have OpenID implemented on this site in case you didn’t know. Anyway, a cool thing about OpenID is since it is open source, you can create your own way to verify yourself. So I can run an OpenID server off my web host, thus I am responsible for my own security and authentication. I like this idea, but one thing I don’t like is that most OpenID server simple use the standard user name and password for verification. This kind of sucks if my credentials get compromised, as this would open up every site I use OpenID on.
Idea for Verification
I got to thinking about this and how it can be improved. First I would only use the user name and password as a way of telling the OpenID server to start its verification processes. The next step would be to have the server use a key located somewhere to authenticate the user. This key would have to be created new after a certain amount of time. Once this key is validated then the server would know its really you. The great thing about this system is the key isn’t created by the OpenID server, it has to be created outside the OpenID server. This way if your user name and password are compromised they would only be good for a day, or less depending on how you have your key set up.
Idea for Storing the Key
- The key could be stored in a non web accessible directory on the the same web server as OpenID. This would entail logging into the server though ssh or other means and creating the key. Still pretty safe as you would need access to the server in order to change the key.
- Another way could be simply running your own OpenID server on you local machine, and storing the key only when the server is running.
- GmailFs or other remote mounting disks.
- Another site to create the key, although I don’t like this idea.
- You could even encrypt the key, before storing it somewhere.
- Many other possibilities