An article from Security Focus (http://www.securityfocus.com/brief/665) states that Yahoo! is considering adding support for OpenID (http://openid.net/). This would add Yahoo! to the growing number of sites that are supporting the open source effort. There is no mention of Yahoo! Messenger but I would guess that it will not be supported immediately by the desktop client. For those who have not heard of OpenID I would suggest doing some research. It promises to get rid of the hundreds (perhaps thousands for some) of separate website passwords. You could essentially use the same credentials for every site that supports OpenID. One of the reasons that I am so excited about this is some of the extra security that could be added.

I recently got the PayPal security key (https://www.paypal.com/securitykey) and if you are familiar with any of the RSA tokens then you should know what this does. It is a physical device that fits on your keychain and generates a unique six digit number every 30 seconds. When you go to log into PayPal you add the six digits on the end of your password and it makes a unique password for you every 30 seconds. The security key is synchronized with the PayPal servers so it can confirm that only the person holding the security key can log in. This adds another factor to the traditional three factor authentication model and makes stealing someone’s PayPal account almost impossible (at least from a password point of view). Even if someone knows, sniffs, or phishes your password, it is only good for 30 seconds and then a new one is required.

The interesting part of this is that the makers of the PayPal security key is VeriSign which also makes it own branded security token. VeriSign also happens to be an OpenID provider (https://pip.verisignlabs.com) and you can use their security token with OpenID. What this means is that you now have a very high security password that changes every 30 seconds for every website that you visit. If for some reason you give your password to an unscrupulous website or your favorite website’s password database gets hacked, you will have no fear that your password is compromised because it was only good for 30 seconds. With OpenID gaining support I am sure there will be a lot more interesting and more secure ideas put forth that will make the bad guy’s life a little harder.

I wish more people would implement OpenID with multifactor security...it's a pain in the ass to grep through my keepass database every time I log into a site (I'm one of those people that insists upon using 16+ character randomly generated passwords for everything) but that's the only real reliable way of limiting damage if my passwords are compromised.

I use RSA SecureID at work and I love it, except when AD hassles me to change my password as if it doesn't already change every 60 seconds anyway. Since my token is on my keys, there's really not much risk of compromise.

I love multifactor authentication like this, the only problem is, the way the industry is heading, I'm gonna have to tote around 20 different tokens! The government needs to step in here and put smart chips on our drivers licenses, and give every citizen a smart card reader. Then we could use the keys on the card along with a single password to authenticate ourselves to sites via some centralized keystore managed over in Langley

Of course, this will never happen...damn liberals freak out at even the idea of a digital passport!