A couple weeks ago we announced a new feature that allows users to link multiple tokens to a single TrustBearer OpenID account. The original reason for doing this was to allow users to link a backup token to their account in case their primary token was lost.
I found another purpose for linking multiple tokens: convenience. I keep a keyboard with a few USB ports at the office. Every day I plug this keyboard into my laptop. I linked an additional token to my TrustBearer OpenID account and I keep this token plugged into my keyboard. Now, whenever I’m in the office I don’t need to go searching for my keys to log into an OpenID website.
Hardware that is built-in to our computers is much more convenient to use. I’m sure that Apple has increased video chatting with iSight cameras now included with every laptop they sell. For awhile Dell has been including smart card readers in their business-class laptops. Many IBM & Lenovo ThinkPad laptops include a built-in biometric swipe sensor. Will we ever see a smart card reader in a MacBook? I doubt it. But that’s another conversation…
For those of you who have been issued a smart card, either from your company, government, or private institution, do you carry around a reader with you all the time? Has having the card convinced you to get a laptop with a built-in smart card reader?
stevepepple
corcordt
Taylor Venable
Brian Kelly
harningt
cpenn
rsteger
5 responses so far ↓
Sergey // June 7, 2008 at 12:26 PM |
I’m wondering why you are sticking with the physical token concept. Why not evolve strong authentication towards usage of physical devices already in the hands of consumers, such as a mobile phone?
Ashwin // June 8, 2008 at 6:43 PM |
Word. Lots of benefits. First, no need to distribute or manage physical tokens. Second, 2nd factor authentication could occur out of band, which could protect against lots of man in the middle and phishing. Are there any non-token Trustbearer services on tap?
Brian Kelly // June 9, 2008 at 8:01 AM |
We are considering a few alternative tokens from the traditional ones that we’ve supported in the past. This includes mobile phones and soft tokens. One of the challenges in the mobile phone space is a standard for communication between the host computer and the mobile phone, but we’re getting there.
Ashwin // June 14, 2008 at 10:20 PM |
Thanks Brian, I’ve looked at a variety of these (i.e. PhoneFactor). Seems like (though I don’t fully understand this stuff) they focus on placing a call rather than establishing some sort of data session, which seems like it could be a common technical solution without regard for differences between telephone networks. Would love to stick with your stuf though…
Billy // June 17, 2008 at 8:24 PM |
One big upside to the phonefactor-type solution is the Out of Band component. It would be great if your solution didn’t essentially translate the “what you have” into a “what you know” and then require the user to feed it into the browser, where phishing can occur.