shahine.com/omar/

homepage | Send mail to the author(s) contact

yet another Microsoft blogger

# Tuesday, August 12, 2008

« Amazon Universal Wishlist, for any produ... | Main | Two-Factor Authentication for the rest o... »

VeriSign launches competitor to PassPack

Over the past few months I’ve been thinking A LOT about passwords and how broken the Internet is right now with respect to authentication. Expect a number of posts over the next few weeks about my thoughts on the matter (timely since this NYT piece came out this past weekend).

For the record, I have over 266 unique passwords for websites and currently use RoboForm to manage them all (I actually ran RoboForm for over a year so that I could capture every site I entered credentials into). I would like a solution that roams with me, but Dual Factor authentication and strong password reset mechanisms are a requirement.

Why is VeriSign’s role here important? For one thing, they have a fairly important role in how the Internet runs and have a distinguished history with respect to Internet security technology.

I’ve been playing around with VeriSign Personal Identity Portal (PIP) the last few days. VeriSign PIP is an OpenID provider with a number of novel features that make it far and away the best OpenID provider out there.

They support:

  1. OpenID 2.0
  2. SSL Client Certificates for authentication
  3. VeriSign Identity Protection (VIP) security key products for dual-factor authentication
  4. Information Cards
  5. OneClick Sign-in access for over 80 popular websites (like Facebook, Google, Windows Live)

Item #5 competes directly with PassPack, which is a cool web based service for storing your usernames and passwords (secured by a password and a “packing key”). I haven’t moved over to them yet because I’m taking my time to understand the options out there.

VeriSign takes a similar approach to PassPack in that to get to your data you:

  1. Login using your username and password or Information Card
  2. Optionally enter your Security Code (if you don’t have your FOB you can fallback to SMS)
  3. Use your encryption key to “unlock” your OneClick passwords.

This all seems good. It's important to note that all your username and password credentials for OneClick are encrypted using a key that only you know. If you lose this key, or someone managed to get access to your account, they will NOT be able to get to your OneClick passwords unless they also know this key. There is no mechanism to "reset" this key. If you lose it, then you lose all your passwords and need to start over.

This is why I believe that in the long run OpenID is far better than anything that has been proposed. For one thing OpenID is flexible enough to support multiple authentication mechanisms like Information Cards, Dual factor authentication, SSL certificates and are now backed by a number of big players in technology (Google, Microsoft, etc).

IMHO one of the best features of OpenID is that you are not generating some random password (or worse giving the same password you use on every website) and handing over to a stranger who for all you know doesn’t encrypt or secure your identity.

While there is still a long ways to go, I consider this progress. VeriSign’s product is something my family can understand and use.

Passwords | Technology
Posted Wednesday, August 13, 2008    Permalink    Comments [11]  View blog reactions

Related posts:
Hello from 30,000 feet
8ninths
Wells Fargo launches Secure Online Storage with Two-Factor Authentication
Two-Factor Authentication for the rest of us
Searching Web Forums
Upgraded to Comcast Blast

 

Tuesday, August 12, 2008 9:56:36 PM (Pacific Daylight Time, UTC-07:00)
It's unfortunate that the NYT writer didn't really seem to "get" the difference between identity and authentication and made some leaps as a result. I agree with what you say: OpenID in the *long run* is a better solution, especially when the future means combining it as an identity infrastructure, along with strong authentication layers and other options like Verisign's offering, et al.

The real keys to OpenID's success - IMHO - are:

1. Adoption of a comprehensive relying-party status by the "big guys" (and the features you mention make that more likely as the technology matures more)
2. Usability improvements

Will be fun to watch and work with.
Greg Hughes
Tuesday, August 12, 2008 10:02:29 PM (Pacific Daylight Time, UTC-07:00)
So where does CardSpace fit into this? I watched and listened as it was being introduced and it seemed to be a great solution, especially considering it wasn't tied to Windows. I haven't heard much since. I haven't done any research or sample apps with it, but my guess is that it's too difficult to implement?
John Walker
Wednesday, August 13, 2008 9:01:28 AM (Pacific Daylight Time, UTC-07:00)
John,

CardSpace, aka Information Cards, are supported by both VeriSign and myOpenid. Both providers allow you to login using your CardSpace card w/o entering your username or password to login and authenticate to the OpenID provider.

I find a couple of problems with CardSpace, namely that if you are using a computer without your "card" you can't login using it.
Omar Shahine
Wednesday, August 13, 2008 10:31:24 AM (Pacific Daylight Time, UTC-07:00)
Omar.

Note that the PIP 1-Click Sign-in does not divulge your names and passwords to VeriSign! The browser submits an encrypted version to the PIP vault service (using your 1-click key that only YOU know. The key is never sent to VeriSign either).

That way, VeriSign does not have any of your names and passwords. Yet, you can enjoy the convenience of a 1-click SSO user experience across the Web. For a security standpoint, because the bookmarklet stores the key in the browser; security is achieved by strengthening your login to the PIP. That is why we also give you a free VeriSign certificate to secure your PIP OpenID login.

Hope you will like our service.
Cheers.

Nico

ps: note that our bookmarklet also does 1-click OpenID sign-In.
Nico Popp
Wednesday, August 13, 2008 10:52:53 AM (Pacific Daylight Time, UTC-07:00)
Nico-

I corrected my statement above to reflect the fact that Verisign has no visibility into my passwords and nor does any attacker who might be able to break into my PIP account. Sorry I missed that.
Omar Shahine
Wednesday, August 13, 2008 5:17:03 PM (Pacific Daylight Time, UTC-07:00)
It has been nice to see so much discussion recently regarding passwords and how with so much data online we need a better solution.

I work for Vidoop and I believe we have a solution that meets your criteria. myVidoop is an OpenID provider, that also has an integrated password manager plug-in. It is free to download and will store all your online passwords: http://twurl.cc/2rj

You can chose to store your passwords locally or online with myVidoop. If you store your passwords on myVidoop then they are accessible from anywhere. Our FF plugin will also do form filling.

All your data is protected by our two-factor authentication ImageShield, which is phishing, man-in-the-middle, and shoulder surfing resistant. Using our ImageShield a random access code is generated every time you login. We have an excellent video describing how our ImageShield protects your data here: http://www.vidoop.com/products/overview

For my personal solution I keep a copy of FireFox portable on a thumb drive, along with the plugin installed and password file and have a completely portable solution that I can plug in anywhere. Once I am done I just unplug the drive and move on.

I am interested to see your future posts on passwords. I have yet to see an extensive review of the major password management solutions out there. I think that would be an excellent post.

Cheers,
Kevin
Kevin Fox
Wednesday, August 13, 2008 5:34:39 PM (Pacific Daylight Time, UTC-07:00)
I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:

http://www.booksbonkers.com/TheRoboFormReport!2.html

Sometimes this link gets broken and puts you on a 404 error page. If that happens, then just copy and paste the whole link above in a new web browser page.
Omarra Byrd
Wednesday, August 13, 2008 5:46:07 PM (Pacific Daylight Time, UTC-07:00)
Passpack and VeriSign have more or less have the same objective – eliminating the hassle of passwords - but are used differently.

Passpack will very soon be an OpenID supporter as well, so <a href="http://passpack.wordpress.com/2008/08/01/how-passpack-and-openid-can-complement-each-other/"target="_blank" >Passpack will actually complement OpenID</a>. So a user doesn’t have to feel restricted to make an exclusive choice between the two.

The irretrievable Packing Key, which is the only way to unencrypt your stored credentials, is the basis of Passpack security - <a href"http://passpack.wordpress.com/2008/03/10/host-proof-hosting/" target="_blank" >host-proof hosting</a> - which ensures complete user control of their own data.

Depending on the user – the combination of an online security vault and an authentication system could be a very a secure solution to online password security.

Louise (Passpack :)
Louise
Sunday, August 17, 2008 10:56:39 PM (Pacific Daylight Time, UTC-07:00)
I roam Roboform using Foldershare. :)
Dennis T Cheung
Monday, August 18, 2008 4:25:21 AM (Pacific Daylight Time, UTC-07:00)
Hi - Tara from Passpack here. Sorry to chime in so late, I took a few days vacation (incredible, I know).

Just wanted to re-paste the link that Louise had problems with.

Passpack OpenID support: http://tinyurl.com/5or9g9

One of our users commented he's jazzed on using his Verisign PIP OpenID to login to his Passpack account.

I think the most exciting thing we're seeing here is interoperability. You can use your OpenID to login to your password manager, or your password manager to 1 Click Login to any number of OpenID providers, or both.

But either which way - it sure is nice to have Verisign "compete" with us.

Cheers to all!
Tara Kelly
Passpack Founding Partner
Tara Kelly
Monday, August 18, 2008 10:28:04 AM (Pacific Daylight Time, UTC-07:00)
@dtc So do I, but not all computers I use have FolderShare or RoboForm installed :-(. Also not easy to share passwords with the wife.
Omar Shahine
Comments are closed.