OpenID

Identity management is currently one of the most crucial security issues in the Internet. As users become more and more accustomed to services provided on the Web, they have to create accounts in order to authentify themselves to the service providers. Be it for online shopping, accessing one’s bank account online, or being part of a social network, users have to make use of a digital identity, which is associated to them with credentials, the most common being a login/password pair.

Nevertheless, password based authentication remains absolutely unsecure, even though security measures are often added in order to avoid identity theft by simple methods such as dictionary attack. For instance, bank web sites provide anti-phishing solution thanks to SSL server authentication. Nevertheless, the user still has to use a password, with a limited number of trials in order to avoid dictionary attacks. This countermeasure proves to be efficient, but if an attacker tries to perform identity theft on a given account, the victim will not be able to authentify since his account will be disabled until he makes proof of his identity to the bank, which could be rather inconvenient.

Moreover, most websites do not implement SSL server authentication, nor do they limit user authentication to a fixed number of trial, which makes identity theft really easy to perform, especially since user passwords are chiefly simple words that can be discovered with only a few attempts.

Identity theft impact may vary greatly from one use case to another, but remains potentially dangerous since users often choose the same passwords for different services provided on the Web. In order to avoid creating multiple user accounts, Single Sign On (SSO) architectures have been developed, such as Windows Cardspace, Liberty Alliance and OpenID. OpenID has the advantage of being extremely simple and accessible to any user. However OpenID could present some security weaknesses – the principal being the password based authentication – if standard authentication solutions were used. In a SSO architecture, identity theft impact could be tremendous, since the attacker could gain access to several service providers in the name of the victim. Such a use case requires high security constraints, which are not compatible with password based authentication.

EtherTrust has developed a strong authentication technology based on a specific solution embedded in smart devices. These devices contain EtherTrust application performing, whatever the terminal and independently, secure exchanges with the server, as well as the user certificate and cryptographic keys.

In a SSL-based authentication OpenID context, the user generates the certificate corresponding to the digital identity to be created, replacing the classic login/password user account paradigm. Such a procedure can be directly combined with the benefits of smart devices to authenticate the user with high security.

> Users gain access to a simple and secure single-sign on authentication server, only holding their smart portable device and plugging it into their terminal

> Anti-phishing solution is built in the specific Ethertrust solution (based upon an SSL authentication) and thus warrantied

> Users are able to create and manage identities without any effort, and without any need of a login/password pair