Protecting the Keymaster
Today's announcement that Google, Microsoft, Yahoo!, IBM, and VeriSign are joining the OpenID Foundation's board is great news for the future of online identity. A single portable online identity has long been elusive, and we're excited to see it come one step closer to reality. I certainly won't miss my ever growing list of usernames and passwords!
But what happens when your entire online identity is consolidated into a single entity? It becomes a prime target for attack. In the pre-OpenID world, attackers need to steal your individual credentials for each and every site you visit; but if they're all replaced with a single OpenID, hacking just one account gives you the keys to the castle.
The need for strong account protection has never been greater, which is why we've integrated our VIP Authentication Service with the VeriSign Labs' Personal Identity Provider as a showcase for how strong authentication melds with user-centric identity. Our users agree - a significant percentage of PIP users already protect their OpenID with a PayPal Security Key or a VIP Security Card.
Once you add strong authentication to OpenID, you need a way for relying parties to request it, and for identity providers to answer those requests. This is where the PAPE standard comes in, providing a standardized language for OpenID sites to talk about the strength of their authentication.
In the OpenID world, we're encouraged to put all of our eggs into one basket. Just make sure you stick a good lock on it!