Archive for the ‘single_sign_on’ Category

GateKeeper, open source site opened …


A new site has been opened which allow to support the GateKeeper development effort.

GateKeeper is an authentication bar that operates from the Firefox browser chrome area (no access to remote scripts…) and that allows password authentication using the SRP algorithm. This renders password authentication insensitive to Phishing or other MITM attacks.

Additionally the GateKeeper bar collaborates with a relevant authentication portal to authenticate the website into which user is about to enter (runtime certification…)

Sites that use GateKeeper authentication are completely immune to Phishing or other MITM attacks. GateKeeper can use static password or KerPass OATH one time password, this last combination providing optimal resistance against brute force, spyware and MITM.


Why in browser single sign on matters ?

As those days , it happens that we visit frequently the topic of in browser single sign on , we think interesting to clarify why we see value in such technology. The two main benefits that single sign on can deliver are :

  • Help maintaining diversity of the web ecosystem
  • Ease securing web applications

Maintaining biodiversity in the web ecosystem :

The lake of easy registration/sign on accross the large number of applications that are currently being maintained on the web , renders difficult the emergence of second movers.
Continue reading

Introducing GateKeeper , in browser single sign on extension

GateKeeper extension …

We think interesting to share with the community a development on which the KerPass engineers are currently working. The shot above shows the GUI part (xul widget) of the extension that shows in the browser at time an authentication request has been received. The extension allows relying website to require end user to authenticate at authentication portails that the relying site trusts for this purpose. GateKeeper is the much needed missing part for in browser single sign on to happen reliably on the web.
Continue reading

InfoCard/CardSpace getting the big picture …

Recent posts on this blog suggest our interest in “open” in browser single sign on systems. As a result we have been discussing briefly perceived strengths and weaknesses of yahoo BBAuth and emerging OpenId standards. Regarding OpenId , it has appeared to us that the enthousiasm of the community is unfortunatly not backed by sufficient technology to make the system applicable in the context of the wild open Internet. The recent announcement that CardSpace and OpenId are engaging into a mariage allow microsoft to capitalize on the buzz created by OpenId. We now see OpenId as a void shell (a remarkable online marketing success though …) , the stringent question that remains to be addressed is what is the value of this CardSpace stuff ?
Continue reading

Holdup on OpenId …

Meanwhile we were busy trying to evaluate if OpenId was an attractive in browser single sign on protocol , it looks that things have changed drastically on this side with the announcement of the alliance with microsoft cardspace.

It will be interesting to see how the dust will settle and if all the contributors that have invested valuable time and ressources in this effort feel happy about this move. On our side we have been following closely what was going on here , as we considered for a while that our strong authentication technologies could be used in the context of OpenId identity provider portails.
Continue reading

OpenID , BBAuth some interesting differences …

We often read that OpenID and yahoo BBAuth are very similar in principle. While this hold largely true , it looks interesting to us to see where those two protocols differ.

First of all BBAuth and OpenID have different objectives :

  • BBAuth allows to reuse yahoo authentication (yahoo_identifier , password ) into websites (we call them Relying Party ) that have an agreement with yahoo (acting as Identity Provider) to allow so.
  • OpenID for its part try to solve a more challenging problem , where a potentially large number of websites (Relying Party…) rely on a federation of Identity Provider to authenticate their end users…

Continue reading

OpenID where do we stand ?

We receive questions with regards to how KerPass can be compared to OpenId , so it looks we will not escape from making this blog buzzword compliant and have our say on this ongoing effort.

Prior to detailling our thoughts on this technology , a clarification : KerPass is about strong authentication where as OpenId is about providing an identifier that can be reused accross different web sites , so to cut the long story short KerPass does not currently relate to OpenId , but could allow identy providers (OP as the OpenId spec call them) to strongly authenticate their end users prior to allow their identifier to be used in a third party web site.
Continue reading