«
»

Estonia issuing Smart-cards for OpenID logins?

Well, it won’t help the massive global DDoS attack that Estonia is coming under from political activist botnet owners who are objecting to the country moving a Russian war memorial.

There’s a lot of hot debate about Estonia issuing OpenIDs for up to 1 million users. The authentication is locked down with smartcards, which is a very positive move.

Any kind of federated identity, where you can use one password or set of credentials, to log into multiple websites, really requires strong 2-factor authentication. If you simply use name and password, then if a phisher gets your credentials, they have access to all your websites.

There is some hyperbole about this Estonian OpenID rollout. Some claim that smartcards prevent phishing, and that is not completely accurate. There’s also been talk that every resident of Estonia will be issued an OpenID credential, and that’s not strictly true either.

Nevertheless, its interesting that a government is stepping in and issuing Internet identity credentials, and tying them to strong authentication.

This entry was posted on Saturday, May 26th, 2007 at 4:06 pm and is filed under ID Theft, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “Estonia issuing Smart-cards for OpenID logins?”

  1. Martin Paljak Says:
    May 26th, 2007 at 4:44 pm

    To be precise: This is NOT a government activity. Watch my blog (http://martin.paljak.pri.ee) for different posts that shall be posted about this service now and in the future.

  2. Martin Paljak Says:
    May 26th, 2007 at 4:50 pm

    And there are no smart cards *issed* for OpenID specifically – there is just a strong electronic identity infrastructure that allows such add-ons like OpenID authentication to be implemented. They just happen to use the strong authentication methods provided with the identity infrastructure already in place (that powers applications like secure online banking and secure online voting as well)

  3. Carsten Pötter Says:
    May 26th, 2007 at 5:10 pm

    Surely I have had to realise that smart cards don’t prevent phishing completely, but I have not claimed that every Estonian will have an OpenID. ;)

  4. Carsten Pötter Says:
    May 27th, 2007 at 2:09 pm

    Small correction: I have claimed it in the title (in order to have a short one) but was more clear in the article.

  5. steve pepple Says:
    February 13th, 2008 at 1:00 pm

    A combination of multi-factor authentication and OpenID is a good way to prevent many types of phishing attacks.

    I work with a team that is developing a beta implementation of strong authentication for OpenID using a number of different authentication devices,
    TrustBearer OpenID.

    We’ve found that this infinitely decreases the possibility of someone fraudulently accessing another persons’ account. We’ve found some compelling ways to thwart phishing here, as well. We use a web browser add-on to manage the authentication process, and we actually check the validity of sites here. A user’s private data also remain private during OpenID authentication.

    We’ve been concentrating on simple user experience at this point,
    and we are interested to learn what sort of features user will look
    for in this type of openID implementation.

    With our OpenID, you basically just set-up a strong authentication device
    and then link the device to your OpenID URL.

  6. Martin Paljak Says:
    July 8th, 2010 at 7:28 am

    OT: I just received an ironkey (s200 personal), it would be nice if some of the identity functionality worked on Mac as wel.

Leave a Reply