10 décembre 2009

OpenID 2.0 and Strong Authentication ? so 2FA is 'wasted'...

Et pourquoi pas ?

Le point de vue de la FICAM sur OpenID et l'authentification forte ! Je suis pas convaincu pour le moment.... A méditer !

OpenID ne permet pas d'être LOA3 ?

Extrait du document ICAM OpenID 2.0 Profile:

"OpenID 2.0 as described in this document has completed the scheme adoption process and has been adopted by Federal Identity, Credential, and Access Management (ICAM) for the purpose of Level of Assurance (LOA) 1 identity authentication (i.e., conducting low risk transactions with the Federal government). Proper use of this Profile ensures that implementations:

• Meet Federal standards, regulations, and laws;
• Minimize risk to the Federal government;
• Maximize interoperability; and
• Provide end users (e.g., citizens) with a consistent context or user experience at a Federal Government site.

This Profile does not alter the OpenID 2.0 standard, but rather specifies which areas of the standard can be used for technical interoperability of government applications, and how they will be used.

The OpenID 2.0 protocol facilitates exchange of OpenID messages (requests and/or responses) between endpoints. For this adopted scheme, messages pertain primarily to the exchange of an identity assertion that includes authentication and attribute information. In ICAM, the endpoints are typically the Relying Party (RP) and the Identity Provider (IdP).

OpenId 2.0 defined herein includes the following features: single sign-on, session reset, attribute exchange, pseudonymous identifiers, and authentication policy. In addition, this Profile defines two main OpenID 2.0 use cases: the end user starting at the RP and the end user starting at the IdP. Use case diagrams and sequence diagrams are provided to illustrate the use cases. Privacy, security, and activation are also discussed. Programmed trust (a mechanism to indicate to RPs which IdPs are approved for use within ICAM) is also discussed, and a high-level process flow diagram is provided.

The Profile concludes with detailed technical guidance that scopes OpenID 2.0 for ICAM purposes. Like most specifications, OpenID 2.0 provides options. Where necessary, ICAM specify or removes options in order to achieve better security, privacy, or interoperability."


Plus d'info: ICAM OpenID 2.0 Profile

@smaret yes, but pairing 2FA with OpenID could be incongruous. ICAM says OpenID tops out at LOA1, so 2FA is 'wasted'...

Publié par Sylvain Maret à l'adresse 12/10/2009 12:00:00 AM

Inscription à : Publier les commentaires (Atom)