[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] help - how do I log into learnstreet without ...
On Fri, Mar 29, 2013 at 1:59 PM, David Tomaschik
<david at systemoverlord.com>wrote:
> On Fri, Mar 29, 2013 at 6:39 AM, Michael B. Trausch <mbt at naunetcorp.com>wrote:
>> On 03/28/2013 09:26 PM, David Tomaschik wrote:
>> > This is true, but it also provides *one provider* who you need to trust
>> > with security, not every site. You can run that provider yourself with
>> > OpenID. So, OpenID (or centralized authentication in general) reduces
>> > the attack surface, but increases the damage from a successful attack.
>> I'm surprised at you, David! Such a blanket statement. That also
>> depends on what one has in place to _mitigate_ compromise. I think that
>> anyone who puts any system in place and then does not plan for it to be
>> compromised is missing the whole point of security. Assume it will
>> break. Mitigate what can happen when it does.
> Assuming you have >1 service using that OpenID provider, the damage from
> compromising the OpenID account is, by definition, more than a compromise
> of one of those accounts. I never said that it results in a complete loss
> of control.
I know this is an old email, but it was sitting in my drafts for awhile.
This is where two-factor systems come into play. For example, myOpenID will
call your phone number to verify whenever you login to your account. It
even has a voice-print security feature, but I'm not sure if that really
adds any extra security or is junk science.
> David Tomaschik
> OpenPGP: 0x5DEA789B
> david at systemoverlord.com
> Ale mailing list
> Ale at ale.org
> See JOBS, ANNOUNCE and SCHOOLS lists at
-------------- next part --------------
An HTML attachment was scrubbed...